See related files: (EFF Archive) (Cryptome Archive) (2600 Archive) (Harvard DVD OpenLaw Project)

Edward Felten Deposition, in MPAA v. 2600

NY; July 7, 2000

          2   00 Civ. 20277
              -  - -  - - - - - - - - - - - - - -X
              UNIVERSAL CITY STUDIOS, INC.,      :
              PICTURES INDUSTRIES, INC., TIME    :
              DISNEY ENTERPRISES, INC., and      :
              CORPORATION,                       :
                          Plaintiffs,            :
                        Vs.                      :
              SHAWN C. REIMERDES, ERIC CORLEY,   :
         11   a/k/a "EMMANUEL GOLDSTEIN" and
              ROMAN KAZAN and 2600 ENTERPRISES,  :
         12   INC.,
         13               Defendants.
         14   - - - - - - - - - - - - - - - - - - X
         15          Videotape deposition of EDWARD FELTON,
         16   taken in the above-entitled matter before 
         17   Michele Anzivino, Notary Public of the
         18   State of New York, taken at the offices of
         19   PROSKAUER ROSE, 1585 Broadway, New York, New
         20   York on Friday, July 7, 2000 commencing at
         21   10:28 a.m.
                         245 PARK AVENUE
         24                39TH FLOOR
                     NEW YORK, NEW YORK  10167
         25    (212) 792-5623   Fax: (212) 792-5624

          2   A P P E A R A N C E S:
                    PROSKAUER ROSE, LLP
          4         1585 Broadway
                    New York, New York  10036-8299
          5         Attorney for Plaintiffs
                    (212) 969-3095
          6         By:  WILLIAM M. HART, ESQ.
                         LEON PHILLIP GOLD, ESQ.
                    FRANKFURT, GARBUS, KLEIN & SELZ, P.C.
          8                BY:  MARTIN GARBUS, ESQ.
                    488 Madison Avenue
          9         New York, New York  10022
                    (212) 826-5582
         10         Attorney for Defendant Eric Corley
         13   Also present:  Eileen McDonald, Videographer

          2                      I N D E X
          4   WITNESS            EXAMINATION BY          PAGE
          5   EDWARD FELTEN
          6                          Mr. Hart              5
                              INDEX TO EXHIBITS
          9   1           Documents                         8
         10   2           Documents                         8
         11   3           Copy of declaration               8

          2                   THE VIDEOGRAPHER:  This is
          3               Eileen Dougherty.  We are going on
          4               the record at 10:30 a.m. on July 7,
          5               2000.  We are here for the case
          6               Universal versus Reimerdes.  The
          7               witness today is Edward Felten.  We
          8               are at the location of 1585
          9               Broadway, New York, New York.
         10                   Will the attorneys please state
         11               their appearances for the record.
         12                   MR. HART:  Yeah.  This is Bill
         13               Hart from Proskauer Rose for the
         14               plaintiffs.
         15                   MR. GARBUS:  Martin Garbus,
         16               Frankfurt, Garbus, Klein & Selz for
         17               the defendant.
         18                   THE VIDEOGRAPHER:  Will the
         19               court reporter please administer
         20               the oath.
         21             E D W A R D   F E L T E N ,
         22   having been first duly sworn, was examined and
         23   testified as follows:
         24                     EXAMINATION
         25   BY MR. HART:

          1                   EDWARD FELTON
          2        Q.     Good morning, Mr. Felten.
          3        A.     Good morning.
          4        Q.     Have you ever been deposed before?
          5        A.     Yes, twice.
          6        Q.     In what matters?
          7        A.     Both times in U.S. versus
          8   Microsoft, the antitrust case.
          9        Q.     Oh.
         10               And if you can just tell me
         11   generally what the subject matter was that you
         12   testified to in those depositions.
         13        A.     Sure.  The first time was in the
         14   main part of the case, and I testified mostly
         15   about issues relating to software design and
         16   software construction, about operating systems
         17   and browsers and how they related to each other
         18   in general.  And then specifically how
         19   Microsoft's products, Windows '95 and '98 and
         20   Internet Explorer, related.
         21        Q.     Okay.
         22               And what you just described was the
         23   subject matter of both of the depositions you
         24   referred to?
         25        A.     Both depositions talked about those

          1                   EDWARD FELTON
          2   matters.
          3               And then the second deposition I
          4   also talked about -- that was in the rebuttal
          5   phase of the trial.  And so I talked about
          6   rebutting some of the Microsoft witnesses
          7   statements on those same topics.
          8        Q.     Okay.
          9               And who were you testifying on
         10   behalf of?
         11        A.     Of the -- of the Department of
         12   Justice.
         13        Q.     Okay.
         14               Did you ever testify at the trial
         15   or in any of the court proceedings in that
         16   action?
         17        A.     Yes, I testified twice in court.
         18        Q.     Okay.
         19               And was your testimony related to
         20   the same subjects that you just described?
         21        A.     Yes.
         22        Q.     Was there anything else in your
         23   court testimony in addition to what you
         24   described regarding your deposition testimony?
         25        A.     Let me think about that.  There was

          1                   EDWARD FELTON
          2   a discussion of security issues in -- in my
          3   court testimony which I -- which was not on the
          4   list I gave you before.
          5        Q.     Okay.
          6               And by "security issues," what do
          7   you mean?
          8        A.     The implications for the security
          9   of PCs of various things that Microsoft had
         10   done.
         11        Q.     Okay.
         12               And by "security," do we mean
         13   preventing people from getting unauthorized
         14   access into the P.C. or what?  I mean, I just
         15   --
         16        A.     Both.  Both preventing unauthorized
         17   access to the P.C. and also privacy issues.
         18   That is, what kinds of information about the
         19   user of the P.C. become available to other
         20   people across the Net.
         21        Q.     Got you.  Okay.
         22               I want to mark a couple of
         23   exhibits, and I'm trying to do this as
         24   efficiently as possible.
         25                   MR. HART:  Ms. Reporter, I'm

          1                   EDWARD FELTON
          2               going to hand you Exhibits 1, 2 and
          3               3 in that order.  Marty, just give
          4               us a moment.
          5        Q.     Mr. Felten, I'll have you identify
          6   these for the record once the reporter has
          7   marked them.
          8        A.     Okay.
          9                   MR. HART:  Actually, those
         10               copies are for you, Marty, because
         11               I prefer the witness refer to the
         12               ones that will have exhibit numbers
         13               to make it a little easier.
         14                   (Thereupon, Documents marked as
         15               Felten Exhibits 1, 2 and 3 for
         16               identification as of today's date)
         17        Q.     Okay.  If you would sequentially,
         18   Exhibits 1, 2 and 3, and if you don't mind my
         19   just asking --
         20        A.     Okay.
         21        Q.     -- a group question for all of
         22   them.
         23               A., Have you ever seen the document
         24   before, and B., If so, what is it?
         25        A.     Okay.  Number 1, I do not think I've

          1                   EDWARD FELTON
          2   seen.
          3        Q.     Okay.
          4        A.     I've not seen Number 2.
          5        Q.     Okay.
          6        A.     And Number 3 I have seen, and this
          7   was a copy of a declaration which -- which I
          8   prepared.
          9        Q.     Okay.
         10        A.     And it has my C.V. as -- as an
         11   appendix to it.
         12        Q.     Very good.
         13               Are you going to be testifying in
         14   the trial of this case?
         15        A.     I expect to.
         16        Q.     Okay.
         17               Is there any reason, to your
         18   knowledge, based on your own availability that
         19   you wouldn't be able to, assuming that the
         20   court goes forward on the date scheduled?
         21        A.     It depends on the length of the
         22   trial.
         23        Q.     Okay.
         24        A.     I understand the trial is scheduled
         25   to start on the 17th.

          1                   EDWARD FELTON
          2        Q.     Right.
          3        A.     And for the first two weeks
          4   beginning on the 17th, I'm available.
          5        Q.     Okay.
          6        A.     The following week I am not sure
          7   about my availability.  I have a consulting job
          8   that will involve a trip to Ottawa, and I'm not
          9   sure which day that will be on.  That still has
         10   to be arranged with the people I would be
         11   visiting.
         12        Q.     Okay.
         13        A.     And if the trial goes beyond the
         14   third week, then I'm not sure.
         15        Q.     I understand.
         16               Were you asked to collect any
         17   documents in your possession or control to turn
         18   over in connection with this case or with your
         19   deposition?
         20        A.     No.
         21        Q.     Okay.
         22               When were you first contacted about
         23   the possibility of your testifying in some form
         24   or another in connection with this case?  And
         25   by "testifying" I mean both in deposition

          1                   EDWARD FELTON
          2   and/or at trial.
          3        A.     I don't recall exactly when it was.
          4   I think -- I'd estimate it was perhaps two
          5   months ago.
          6        Q.     Okay.
          7               And who made that contact to you?
          8        A.     The first -- the first contact I
          9   had actually was at a -- at a lunch.  Professor
         10   Appel was going to have lunch with Mr. Garbus
         11   in Princeton and -- and Professor Appel invited
         12   me to come along and I talked with Mr. Garbus
         13   at that lunch.  That was the first contact I'd
         14   had.
         15        Q.     Okay.
         16               And prior to being invited to that
         17   lunch had you ever heard of this case before?
         18        A.     Yes.
         19        Q.     When did you first hear of this
         20   case?
         21        A.     I don't remember exactly when I
         22   heard of it.  It was, to estimate, perhaps
         23   January.
         24        Q.     Okay.
         25               And how did you first hear of it?

          1                   EDWARD FELTON
          2        A.     In conversations with -- with
          3   colleagues.  I think that's when I first heard
          4   of it.
          5        Q.     Colleagues where?
          6        A.     It -- it would have been at a
          7   conference, at a discussion during a break
          8   session in a conference.
          9        Q.     Is this a conference at Princeton
         10   or elsewhere?
         11        A.     I went to a number of conferences
         12   in January, but I don't -- it would have been
         13   elsewhere, but I don't know which conference
         14   exactly.
         15        Q.     Okay.
         16               Was Mr. Appel one of the colleagues
         17   that you include?
         18        A.     No.
         19        Q.     Okay.
         20        A.     I should -- let me clarify.  By
         21   "colleagues" I mean people working in the same
         22   field as me, not necessarily people at
         23   Princeton.
         24        Q.     Got you.
         25               But Mr. Appel was not at that

          1                   EDWARD FELTON
          2   conference?
          3        A.     He was not -- no, he was not at any
          4   of the conferences I went to.
          5        Q.     Now, you work -- I don't mean to
          6   interrupt you.
          7        A.     I'm finished.
          8        Q.     Okay.  I'll try not to do that.
          9               You work with Mr. Appel at
         10   Princeton?
         11        A.     Yes.
         12        Q.     Okay.
         13               Can you tell me what differences
         14   there are between your two respective
         15   specialties or knowledges or areas of
         16   expertise?
         17        A.     Sure.  I can talk about some areas
         18   in which I have more knowledge and expertise
         19   and other areas where he has more if that's a
         20   helpful way to do.
         21        Q.     Fine.  That would be great.
         22        A.     Okay.  I think I have more
         23   expertise in general, in issues relating to
         24   security and cryptography.  I have more
         25   expertise related to operating systems and what

          1                   EDWARD FELTON
          2   you might call Internet software.  He has more
          3   expertise related to programming languages,
          4   software engineering and topics related to how
          5   software is generally constructed.
          6        Q.     And are there areas where at least
          7   in general you'd say the two of you overlap in
          8   terms of your respective expertises, knowledge
          9   or experience?
         10        A.     Sure.  I think we both have -- when
         11   I gave you the list of areas there, I didn't
         12   mean to imply that he has no expertise in areas
         13   where I have more, nor that I have none in
         14   areas where he has more.
         15        Q.     I appreciate that.
         16        A.     So yes, there's -- there is a
         17   significant amount of overlap between --
         18   between our expertise.
         19        Q.     Okay.
         20               When you said a minute ago that one
         21   of the areas that you have special knowledge in
         22   is in Internet software--
         23        A.     Yes.
         24        Q.     -- what do you mean by "Internet
         25   software"?

          1                   EDWARD FELTON
          2        A.     I mean the workings and designs of
          3   things like Web browsers and e-mail software
          4   and so on, the sorts of software that people
          5   use when accessing the Internet.
          6        Q.     Okay.
          7               And does that also relate to --
          8   does that expertise, if you will, also relate
          9   to the networking capabilities and speed of
         10   networks with respect to the Internet?
         11        A.     I think I probably have more
         12   experience and expertise than he does relating
         13   to how Internet -- the Internet works, sort of
         14   the plumbing, the guts of it.
         15        Q.     Mm-hmm.
         16        A.     As far as the speeds, I'm not sure.
         17        Q.     Okay.
         18        A.     I'm not sure how I would
         19   characterize that.
         20        Q.     Okay.
         21        A.     Whether I would know more or he
         22   would know more.
         23        Q.     Okay.  Fair enough.
         24               Can you tell me in your
         25   professional estimation what basic factors

          1                   EDWARD FELTON
          2   contribute to or play a role in Internet
          3   network speed?
          4        A.     Well, that's a big topic.
          5        Q.     I understand.
          6        A.     There are a number of -- and it's a
          7   question that can be sort of answered at
          8   different technological levels.  But let me try
          9   to give a basic answer.
         10        Q.     Please.
         11        A.     You -- one of the factors is what
         12   is -- what are the basic hardware building
         13   blocks you are using.
         14        Q.     Okay.
         15        A.     But there are a lot of other
         16   factors that have to do with the -- the
         17   distances over which you are communicating.
         18        Q.     Geographic distances?
         19        A.     Geographic distances, yes.
         20        Q.     Okay.
         21        A.     With the software that you are
         22   using at the end points, with the amount of --
         23   the effective speed you get depends on how much
         24   congestion there is in the Net between Point A
         25   and Point B, and it also depends in complicated

          1                   EDWARD FELTON
          2   ways on sort of the design or architecture of
          3   the Internet and the networks.
          4        Q.     Okay.
          5               Are there any other factors in
          6   general terms --
          7                   MR. GARBUS:  Excuse me, what's
          8               that noise?
          9                   MR. HART:  I think you are
         10               hearing footsteps again, Marty.
         11               Just to be clear, I mean, there is
         12               a paging system in the office, and
         13               you may be hearing that and I
         14               apologize for that.
         15                   MR. GARBUS:  I see.  I see.
         16        A.     No other factors come to mind.
         17        Q.     Okay.
         18        A.     I may be missing something.
         19        Q.     Well, we'll coming back to that.
         20   Again, I was looking for a sort of general
         21   answer --
         22        A.     Okay.
         23        Q.     -- at this point.
         24               Did you have an opportunity to
         25   review Mr. Appel's deposition transcript before

          1                   EDWARD FELTON
          2   you appeared here today?
          3        A.     Yes.
          4        Q.     Okay.
          5               Did he basically get it right?  Are
          6   there any things you disagree with in what he
          7   said?
          8        A.     I don't recall disagreeing with
          9   anything.
         10        Q.     Okay.
         11               Apart from your declaration which
         12   we've marked as Exhibit 3 here, have you
         13   prepared any materials, whether written or
         14   demonstrative, and by "demonstrative" I'm
         15   including such things as software or
         16   illustrations of how software works, in
         17   connection with your involvement in this case?
         18        A.     No.
         19        Q.     Do you plan to, prior to testifying
         20   at the trial?
         21        A.     No, I don't have any plans to do
         22   that.
         23        Q.     Okay.
         24               Can you tell me, to the best of
         25   your knowledge, what general areas you intend

          1                   EDWARD FELTON
          2   to or are prepared to testify on in the trial
          3   of this case?
          4        A.     Sure.
          5        Q.     Yes.
          6        A.     Well, of course I'll answer
          7   whatever questions I'm asked.
          8        Q.     Of course.
          9        A.     But what I would anticipate is I
         10   think laid out pretty well in the declaration.
         11        Q.     Okay.
         12        A.     And there is a list of four topics
         13   here.
         14        Q.     Okay.
         15               There is nothing else, to your
         16   knowledge, as we sit here today that you plan
         17   to testify on at the trial or that you are
         18   right now prepared to testify on at the trial
         19   apart from what's in your declaration?
         20        A.     I don't plan to testify to anything
         21   beyond this as opposed to -- if -- if you're --
         22   with regard to what I'm prepared to testify
         23   about in this -- I have a lot of general
         24   knowledge about computer science and my -- and
         25   my areas of specialty --

          1                   EDWARD FELTON
          2        Q.     Got you.
          3        A.     -- which I think I'm prepared to
          4   testify about that, but I don't expect to.
          5        Q.     Got you.  Okay.
          6               Have you ever personally been
          7   involved in a situation where a security or
          8   encryption system has been hacked, in a
          9   nonpejorative sense, and the results of that
         10   hack disseminated to others?
         11                   MR. GARBUS:  By "hack" you mean
         12               also broken or compromised?
         13        Q.     And again, I'm not trying to -- to
         14   be pejorative in any sense.  If you have a
         15   better word, I'll use your word.
         16        A.     Right.  So I'm interpreting
         17   "hacked" here to mean broken -- the system was
         18   broken or a flaw was found in it.
         19        Q.     Okay.  Fine.
         20        A.     And the result -- and the results
         21   of that -- if you take the results of that to
         22   include the knowledge of what was wrong with
         23   the system and how the -- how the -- the -- the
         24   flaw was discovered and so on, how it was
         25   fixed, then yes.

          1                   EDWARD FELTON
          2        Q.     In how many instances have you been
          3   involved in such a situation?
          4        A.     I'd estimate about a dozen.
          5        Q.     Okay.
          6               In each of those instances, was the
          7   proprietor of the system contacted after the
          8   flaw was discovered or the system was broken?
          9        A.     So when I said it doesn't, I meant
         10   ones in which I had been involved in
         11   discovering the security flaw in one way or
         12   another.
         13        Q.     As opposed to?
         14        A.     As opposed to ones in which someone
         15   else had discovered it and I was aware of what
         16   was happening and so on.
         17        Q.     And in the latter category, how
         18   many were you involved in, in that way, where
         19   you weren't the discoverer but you were
         20   involved to one degree or another?
         21        A.     Maybe five.
         22        Q.     Okay.
         23               And what -- can we put a time span
         24   on all of these?  I mean, is there --
         25        A.     Sure.  We can start in, say, early

          1                   EDWARD FELTON
          2   1996 up until about the present.
          3        Q.     Okay.
          4               Now, with respect to any of them --
          5   and I'm including for the purposes of these
          6   questions both the ones that you were the
          7   discoverer of a flaw in and the ones where you
          8   weren't the discoverer but you were involved in
          9   some way or another in the exercise.  Were
         10   there any that involved some kind of contact or
         11   communication with the proprietor of the system
         12   regarding the existence of the flaw or of the
         13   compromise or of the break?
         14        A.     Yes.
         15        Q.     Did all of them involve some
         16   contact or communication with the proprietor of
         17   the system regarding that subject?
         18        A.     All of them did eventually.
         19        Q.     Okay.
         20               And by "eventually," what do you
         21   mean?
         22        A.     What I mean was that at some point
         23   in time the person who discovered the flaw
         24   communicated with the -- the -- what you call
         25   the proprietor, the -- the creator of the

          1                   EDWARD FELTON
          2   system to discuss the flaw.
          3        Q.     Okay.
          4               Now, in the 12 instances where you
          5   personally were the discoverer of the flaw, was
          6   it you in each of those 12 instances that
          7   communicated with the proprietor of the system
          8   regarding the flaw?
          9        A.     Yes.
         10        Q.     Okay.
         11               And how did you do that in each
         12   instance?
         13        A.     If I knew who were the engineers
         14   within the -- the -- the proprietor of the
         15   system who were responsible for the security
         16   aspects of it, I would just call them directly.
         17        Q.     Got you.
         18        A.     Although it's not easy to find out
         19   who those people are if you don't already have
         20   a relationship with the company.
         21        Q.     Okay.
         22        A.     And so if you don't, then you have
         23   to go in through the front door.
         24        Q.     Right.
         25        A.     But -- bug reporting mechanism or

          1                   EDWARD FELTON
          2   something like that.
          3        Q.     Got you.  Okay.
          4               Now, were any of the 12 instances
          5   that you were involved in as the discoverer of
          6   the flaw situations where you had some
          7   relationship with the company that was the
          8   proprietor of the system?
          9        A.     No, not always.
         10        Q.     Okay.
         11               Was there any where you did have a
         12   relationship with the proprietor of the system?
         13        A.     Yes.
         14        Q.     How many out of the 12, roughly?
         15        A.     The majority of them.
         16        Q.     Okay.
         17               And by "relationship" what do --
         18   what do you mean?
         19        A.     What -- what I mean by that is I
         20   had already had some discussions or some
         21   dealings with the engineers within those
         22   companies who were responsible for the security
         23   of the products.
         24        Q.     Okay.
         25               And did that mean that the process

          1                   EDWARD FELTON
          2   of your discovering the flaw in the system and
          3   communicating it to the proprietor was a role
          4   that you played with the company's approval?
          5                   MR. GARBUS:  I would object to
          6               the form, but I'll allow the
          7               witness to answer it.
          8        A.     I'm not sure I fully understand
          9   what you mean.  I didn't need anyone's approval
         10   to call these people and talk to them.
         11        Q.     No -- okay.  Fair enough.
         12               And I guess what I'm trying to get
         13   at, and I apologize for the awkwardness of my
         14   question, is you say in the majority of
         15   instances you did have some relationship with
         16   the proprietor.
         17                   MR. GARBUS:  I think the use of
         18               the word "relationship" is vague,
         19               and I think you could probably be
         20               more specific and get the answers
         21               that you want.
         22        A.     Well, I said what I meant by
         23   relationship a minute ago.
         24        Q.     Right.
         25        A.     Which was that I had had some

          1                   EDWARD FELTON
          2   dealings with the engineers within the company
          3   responsible for the security of the product.
          4        Q.     Okay.
          5        A.     And that those dealings could just
          6   have been a few conversations.
          7        Q.     Got you.
          8        A.     Because it -- just to clarify, it
          9   does not necessarily mean any kind of formal
         10   relationship with the company.
         11        Q.     Okay.
         12               In any of the instances where you
         13   discovered the flaw in a security system, was
         14   that done with the company's awareness at the
         15   time?
         16        A.     In some of them.
         17        Q.     Okay.
         18               How many of the 12?
         19        A.     It depends exactly how you
         20   interpret "awareness."
         21        Q.     Okay.
         22        A.     The companies were -- I'd say in
         23   the majority of the cases the companies were
         24   aware that we were examining their software --
         25        Q.     Okay.

          1                   EDWARD FELTON
          2        A.     -- in general, or that we were
          3   examining software that was in the same general
          4   area as theirs.  So they might have suspected
          5   that we were looking for flaws in their
          6   software.
          7        Q.     In how many instances?
          8        A.     In the majority of instances --
          9        Q.     Okay.
         10        A.     -- the companies were aware at
         11   least that we were out there and we were
         12   looking at security vulnerabilities in a
         13   particular category of software.
         14        Q.     And to your knowledge, how were the
         15   companies aware of that fact?
         16        A.     In most of the cases, because --
         17   either because of conversations I had had with
         18   the -- the engineers or because we had found
         19   previous security flaws in that company's
         20   software or because of the reports in press.
         21        Q.     Okay.  Let's take the last two.
         22               Because you had previously
         23   discovered flaws in that company's security
         24   system.
         25        A.     Yes.

          1                   EDWARD FELTON
          2        Q.     Not necessarily the same system or
          3   the same system?
          4        A.     There would -- there would have
          5   been some cases of each.
          6        Q.     Okay.
          7               And in the instances -- in those
          8   instances where you had previously discovered a
          9   flaw in one of those companies systems, had
         10   you communicated that fact to that company at
         11   that time?
         12        A.     At which time?
         13        Q.     At the previous time.
         14        A.     At the time that we discovered the
         15   previous flaw?
         16        Q.     Previous.  Correct.
         17        A.     Let me think, think about the
         18   cases.
         19                   MR. GARBUS:  May I hear the
         20               last question?
         21                   (Record read)
         22        A.     Yes.
         23        Q.     Okay.
         24               And I believe you said as the third
         25   prong of your answer a couple of questions ago

          1                   EDWARD FELTON
          2   something about because some information
          3   concerning a flaw had been published.  And I
          4   don't want to mischaracterize your testimony.
          5   We can go back and reread it.
          6        A.     I think I said because of reports
          7   in the press.
          8        Q.     Reports in the press.  And --
          9        A.     Yes.
         10        Q.     -- can you describe what you mean
         11   by "reports in the press"?
         12        A.     Sure.  What I mean is by stories in
         13   major newspapers, for example, and Internet
         14   media about the existence of flaws and our
         15   discovery of them.
         16        Q.     Okay.
         17               Now, in each instance where you
         18   were the discoverer of a flaw, did you make an
         19   effort to contact the proprietor of the
         20   compromised system, if you will, prior to
         21   causing the disclosure of any information
         22   concerning the weakness to be generally
         23   publicized?
         24        A.     We did make an attempt in every
         25   case, but we were not always successful.

          1                   EDWARD FELTON
          2        Q.     Got you.
          3        A.     Actually, let me clarify a little
          4   bit.
          5        Q.     Yes, please.
          6        A.     I can think of at least one
          7   instance in which we did report the existence
          8   of the vulnerability to the company through a
          9   sort of pub -- general public bug reporting
         10   mechanism.  And nothing happened as a result of
         11   that.  We were unable to determine who else to
         12   talk to inside the company, and later the --
         13   the company reported that -- that they had --
         14   that they essentially don't look through those
         15   -- those bug reports.
         16        Q.     Got you.

         17        A.     So in other words --
         18        Q.     You did --
         19        A.     We attempted to reach the right
         20   people within the company, but not already
         21   having a relationship with the company, we were
         22   unable to actually effectively communicate with
         23   them.
         24        Q.     Got you.
         25               And just to clarify a general

          1                   EDWARD FELTON
          2   public bug reporting mechanism in lay terms,
          3   would that be --
          4        A.     So that --
          5        Q.     -- a facility that the company
          6   itself sets up, like a hotline or an e-mail
          7   line --
          8        A.     That's right, yes.
          9        Q.     -- that says, gee, if you have
         10   discovered any flaws or bugs in our software,
         11   please communicate those to us at this address?
         12        A.     Yes, that's what I meant.
         13        Q.     Okay.
         14               And apart from that instance where
         15   your -- which you just described, in all of the
         16   other instances that you've been involved in,
         17   either the 12 where you were the discoverer or
         18   the 5 where you were in some way involved but
         19   not the discoverer of the flaw, to the best of
         20   your knowledge, was an effort made to
         21   communicate with the proprietor of the system
         22   concerning the flaw before any information
         23   concerning the flaw was generally publicized?
         24        A.     No, I don't believe that was the
         25   case in -- in every -- in every situation.

          1                   EDWARD FELTON
          2        Q.     Okay.
          3               Which ones were the exceptions?
          4        A.     I can think of a couple in which
          5   the information was publicized on the Net, and
          6   in at least one case in the news media before
          7   -- before, as far as I know, the -- the vendor
          8   of the system was -- was contacted.
          9        Q.     Okay.
         10               And so in total, out of the 17 we
         11   are talking about, both where you were the
         12   discoverer and the ones where you were
         13   involved, how many fit into this category?
         14        A.     Category of --
         15                   MR. GARBUS:  Category of?
         16               Public notice before --
         17        Q.     Where some information was
         18   disclosed publicly before the proprietor of the
         19   system was communicated with about the flaw.
         20        A.     Out of the roughly 17, perhaps 13
         21   or 14 would fall into that category.
         22        Q.     That is, some disclosure was made
         23   publicly before --
         24        A.     No, I'm sorry.  Some dis -- some --
         25   some disclosure or discussion with the vendor

          1                   EDWARD FELTON
          2   occurred before --
          3        Q.     Okay.
          4        A.     -- information became public.
          5        Q.     So in 13 cases approximately out of
          6   the 17 --
          7        A.     Approximately.
          8        Q.     -- the vendor was contacted before
          9   any of the public disclosure was made?
         10        A.     Approximately, yes.
         11        Q.     Leaving us with approximately four
         12   where disclosure publicly was made about the
         13   flaw before the vendor was contacted, is that
         14   right?
         15        A.     That's right.
         16        Q.     Okay.  Sorry for the confusion.
         17   Thanks for clarifying that.
         18               Now, of those four, okay -- and you
         19   know which four I'm referring to?
         20        A.     Yes.
         21        Q.     Okay.
         22               -- how many of those were ones
         23   where you were the discoverer of the flaw as
         24   opposed to you were just involved but not the
         25   discoverer of the flaw?

          1                   EDWARD FELTON
          2        A.     I believe there was one, one case
          3   where we were -- where I was one of the
          4   discoverers in which it was -- where -- in
          5   which the information became public before the
          6   --
          7        Q.     Got you.
          8        A.     -- the vendor was aware of it.
          9                   MR. GARBUS:  Do you want some
         10               more water?
         11                   THE WITNESS:  Please.
         12        Q.     Okay.
         13               Let's focus on that one for a few
         14   minutes.
         15        A.     Okay.
         16        Q.     That's where we are going to spend
         17   a little time.
         18               How much detail can you give me
         19   here today about whose system it was, what the
         20   system was, what the flaw was and where it was
         21   publicized?
         22        A.     Sure.  So the one that I'm
         23   referring to is the one that I referred to
         24   before in which we made an attempt to talk to
         25   the -- the vendor, but we were unsuccessful in

          1                   EDWARD FELTON
          2   doing it.
          3        Q.     Oh, okay.
          4               So let me just have her read back.
          5   It's for my sake, not for yours.  I'm trying to
          6   keep this as accurate as possible.
          7                   MR. HART:  Ms. Reporter, if
          8               you'd go back three questions ago,
          9               I think, and answer.
         10                   THE VIDEOGRAPHER:  Off the
         11               record at 11:00.
         12                   (Record read)
         13                   THE VIDEOGRAPHER:  Back on the
         14               record, 11:05.
         15                   MR. HART:  Thank you.
         16        Q.     Okay.
         17               And before we went off the record,
         18   just to make sure we didn't miss a beat here,
         19   the one instance where you were involved as the
         20   discoverer where information concerning the
         21   flaw was publicized before the vendor was
         22   effectively contacted was, I believe, the
         23   instance you said earlier you had tried to
         24   communicate through the general public bug
         25   reporting mechanism, but apparently that

          1                   EDWARD FELTON
          2   communication didn't work.
          3        A.     That's right.
          4        Q.     Okay.
          5               Now, of the other three where you
          6   weren't the discoverer of the flaw and where
          7   something about the flaw was publicized prior
          8   to the vendor being contacted, can you just
          9   tell me generally the circumstances in which
         10   each of those went down?
         11        A.     Well, the -- I don't recall the
         12   specific details, although what I -- what I
         13   recall is that -- what I recall is that the
         14   people who discovered those flaws did talk
         15   about them publicly before they contacted the
         16   vendors.  I don't -- I don't recall the
         17   specific circumstances or why they did that.
         18        Q.     Okay.
         19               Do you regard that as inappropriate
         20   in terms of ethical standards or any other
         21   practice in your experience with respect to
         22   security, testing security or discovering
         23   flaws?
         24        A.     I think it de --
         25                   MR. GARBUS:  I was going to say

          1                   EDWARD FELTON
          2               I object to the form of the
          3               question.  I also object to the
          4               substance.  Mr. Felten clearly will
          5               answer it.
          6                   MR. HART:  Okay.
          7        A.     I think it depends on the
          8   circumstances really.  I don't think there is a
          9   general ethical requirement to -- to discuss
         10   these things with the vendor before discussing
         11   them with anyone else.
         12        Q.     Is there a general practice that
         13   that be done, even if there is not a
         14   requirement in other words?
         15                   MR. GARBUS:  I would object to
         16               that.  I'll allow Mr. Felten to
         17               answer it.
         18        A.     I think there -- there are
         19   different schools of thought about what is the
         20   best way to proceed in those situations.  And
         21   -- well, I want to make clear that what I'm
         22   talking about here is not whether you discuss
         23   these things publicly, but just the timing.
         24   Whether one discusses -- I think in general
         25   it's helpful to discuss these sorts of issues

          1                   EDWARD FELTON
          2   with what -- to discuss them widely.  And we
          3   are just talking about whether -- who you call
          4   first essentially, not whether you call anyone
          5   in particular.
          6        Q.     But is it your testimony that as a
          7   matter of practice, professionally speaking --
          8        A.     I think --
          9        Q.     -- that -- and I don't want to --
         10   maybe I'll should reframe the question, because
         11   I don't want to combine it with a lot of double
         12   negatives.
         13               As a matter of practice, is it the
         14   norm to contact the vendor first?
         15                   MR. GARBUS:  Objection.
         16                   THE WITNESS:  I'm not sure
         17               there is a norm that's -- that is
         18               widely followed.
         19        Q.     Let me ask you this, because I
         20   believe you said, correct me if I'm wrong, that
         21   out of the 12 where you were the discoverer,
         22   that in every one, say one, the vendor was
         23   contacted.  And in the one -- for the one
         24   exception, you had indeed contacted the vendor
         25   through the general reporting bug mechanism but

          1                   EDWARD FELTON
          2   that didn't take, if you will?
          3        A.     Yes, that's right.
          4        Q.     Okay.
          5        A.     And the reason we did that --
          6        Q.     We or you?
          7        A.     Me in particular.  I say "we"
          8   because I'm referring to a research group of
          9   which I'm the head.
         10        Q.     Okay.
         11        A.     And so if the -- when the contact
         12   would occur I would be the one who did it.
         13        Q.     Okay.
         14        A.     That would sort of be on behalf of
         15   the group.
         16        Q.     Okay.  Got you.
         17        A.     And the reason that -- the reason
         18   that we have typically done it in -- in that
         19   way, the reason we've typically contacted the
         20   vendor first is that that seems to cause the
         21   vendor to -- to be more careful and thoughtful
         22   when they issue their first pub -- public
         23   reaction to the -- to the discovery of the
         24   flaw.  It helps -- I've found it helps to give
         25   them some time to think about it before they

          1                   EDWARD FELTON
          2   have to answer questions from the reporters or
          3   from the public about the flaw.
          4        Q.     Okay.
          5        A.     And that's -- that's the main
          6   reason why -- why -- why we have typically
          7   talked to the vendor first.
          8        Q.     Does it also give the vendor an
          9   opportunity to fix, ameliorate or at least put
         10   a Band-Aid on the flaw, if you will?
         11        A.     It lets them start the process of
         12   fixing the flaw --
         13        Q.     Okay.
         14        A.     -- but it is not our practice of
         15   waiting until they ship to fix.
         16        Q.     I understand.
         17               But is part of your purpose in
         18   contacting the vendor before making disclosure
         19   generally to give the vendor some kind of head
         20   start in attempting to make a fix?
         21        A.     That's part of it.  To make a head
         22   start, to have a little bit of time to think
         23   about what their approach is going to be to
         24   fixing it, and so on.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2        A.     And we would typically --
          3        Q.     Yeah.  Okay.
          4        A.     So we would typically give sort of
          5   48 to 72 hours sort of head start to the
          6   vendor, talk to them, and then after a delay of
          7   a couple of days discuss the -- the
          8   vulnerability publicly.
          9        Q.     When you say "discuss the
         10   vulnerability publicly," in each of the 12
         11   instances where you were the discoverer, how
         12   did you wind up discussing the vulnerability
         13   publicly?  And if you can answer generally,
         14   that's fine.  If you have to go through --
         15        A.     Generally in a number of different
         16   ways.
         17        Q.     Go ahead.
         18        A.     We would put something on our Web
         19   site discussing the -- the vulnerability.  We
         20   would typically send a message to the Risks
         21   Digest, which is a -- an online forum for
         22   discussing -- for discussing in general the
         23   risks and vulnerabilities relating to
         24   computerized systems, and send it to other
         25   similar places.

          1                   EDWARD FELTON
          2               We would talk to any reporters,
          3   members of the press who -- who had seen those
          4   announcements.  And there were, into addition,
          5   some people in the press who specifically
          6   requested that we inform them when we found
          7   something, and we would inform them.  And then
          8   that would -- that would be the immediate
          9   steps.  And then we would later pub -- publish
         10   papers describing what we had found and what we
         11   could learn from it.
         12        Q.     Okay.
         13        A.     But, of course, the academic cycle
         14   is a bit longer.
         15        Q.     I understand.
         16        A.     So those would become available to
         17   the public later.
         18        Q.     Got you.
         19               And by "public," are you referring
         20   to the academic, scientific and scholarly
         21   community or the general public or both?
         22        A.     Both.
         23        Q.     Okay.
         24               Now, in this first wave of
         25   disclosure, if you will, before scholarly

          1                   EDWARD FELTON
          2   publications are issued, can you generally
          3   describe the content of the disclosure that was
          4   made in each instance?
          5        A.     Well, we would typically describe
          6   it in different levels of technical detail
          7   because -- because we -- there are different
          8   audiences of people who are interested.  The
          9   general public doesn't necessarily want to know
         10   all the bits and bytes, but there's a large
         11   community of -- of computer experts who do.
         12   And so we would -- we might write two or three
         13   different descriptions of -- ranging from 
         14   sort of what the general public -- what we
         15   thought the general public would want to know,
         16   what's the general nature of the vulnerability,
         17   how can they protect themselves, and so on, and
         18   ranging up to more technical descriptions for
         19   people who were really interested in the -- in
         20   the details and wanted to understand in more
         21   detail how -- what the vulnerability was.
         22        Q.     Okay.
         23               And would those more technical
         24   descriptions include algorithm as part of the
         25   disclosure?

          1                   EDWARD FELTON
          2        A.     In some cases.
          3        Q.     Okay.
          4               Would it include code?
          5        A.     In some cases there -- there was
          6   code in there.
          7        Q.     Which cases?  We are talking about
          8   the 12 now?
          9        A.     We are talking about, yes, the ones
         10   in which we -- in which I was involved as a
         11   discoverer.
         12        Q.     Okay.  How many -- I'm sorry.
         13               How many of the 12 involved the
         14   publication of some form of code in connection
         15   with the disclosure of the weakness?
         16        A.     And here we're talking about just
         17   the immediate disclosure that occurs, not what
         18   we do --
         19        Q.     Scholarly later.
         20        A.     -- later.  Right.
         21               The later papers are not only for
         22   scholars, but also intended in some cases for
         23   -- more for members of the public.
         24        Q.     Okay.  Fair enough.  I didn't mean
         25   to -- sorry.

          1                   EDWARD FELTON
          2        A.     Right.  I mean scholarly articles
          3   in the usual scholarly places.  Also, the
          4   magazines that are more widely read,
          5   information on our Web site which gets accessed
          6   by a lot of people with different levels of
          7   expertise.
          8               But to return back to the
          9   clarification to the -- to the initial question
         10   --
         11        Q.     Right.
         12        A.     -- in the initial disclosure -- I'm
         13   sorry, I've lost the question now.  You were
         14   asking what was --
         15        Q.     I was trying to get at how much
         16   detail was disclosed, and you said well, that
         17   varied depending on the audience.
         18        A.     Yes.
         19        Q.     And I think you said in some
         20   instances it was more technical.  And then we
         21   were focusing on the more technical
         22   disclosures, and I asked you whether in any
         23   instances that included algorithms, and I
         24   believe you said yes.  And then I asked you if
         25   in any of those instances it included code in

          1                   EDWARD FELTON
          2   one form or another, and I believe you said
          3   yes.  And I think the question we're up to now
          4   was out of those 12, which instances of the 12
          5   included code in the initial wave of
          6   disclosure?
          7        A.     I could only guess.
          8        Q.     Well, I don't want you to guess,
          9   but if you could approximate that would be
         10   great.
         11        A.     Out of 12, maybe 3 --
         12        Q.     Okay.
         13        A.     -- would be an estimate.
         14        Q.     Okay.
         15               And I'm going to work with that
         16   three number for now unless you --
         17        A.     Right, with the understanding it's
         18   an approximation.
         19        Q.     I understand.  And I -- again, I'm
         20   not trying to box you in.
         21        A.     Sure.
         22        Q.     We need to organize this in some
         23   way, so I'm going to work with those three
         24   which involved in the initial wave of
         25   disclosure, if you will, some form of code in

          1                   EDWARD FELTON
          2   one way or another.  Okay?
          3        A.     Okay.
          4        Q.     Good.
          5               Can you recall whether that
          6   involved the inclusion of source code or object
          7   code or both?
          8        A.     I think it would have been source
          9   code in the initial -- in the initial
         10   disclosure.
         11        Q.     Okay.
         12        A.     And I'm talking here again only
         13   about the initial disclosure.
         14        Q.     I understand.
         15               And was there a reason why source
         16   code was used rather than object code in the
         17   initial disclosure?
         18        A.     Yes.
         19        Q.     Why was that?
         20        A.     I can think of two reasons.  Number
         21   one is that the -- the soft -- the flaws that
         22   we were looking at generally were ones that
         23   applied across different platforms, different
         24   types of computers, different operating
         25   systems.  And so with object code you would

          1                   EDWARD FELTON
          2   have had to make -- we would have had to make a
          3   different version for each platform.
          4        Q.     Okay.
          5        A.     And in the initial disclosure, one
          6   of the things we want to do is get the
          7   information out there quickly.
          8        Q.     Right.
          9        A.     And so it's more expedient in that
         10   situation to -- to distribute source code.
         11        Q.     That's reason one, correct?
         12        A.     Right.
         13        Q.     What was reason number two?
         14        A.     Reason two is with -- is that
         15   source code is generally easier for people to
         16   read.  And again, in the sort of the quickie
         17   initial disclosure --
         18        Q.     Got you.
         19        A.     -- that's -- we would rather do
         20   less work than more in order to get it out
         21   quickly.  So if we had to do one thing, that's
         22   what we would do.
         23        Q.     I understand.
         24               And with respect to the inclusion
         25   of source code in these initial public

          1                   EDWARD FELTON
          2   disclosures, was that annotated code with
          3   comment or was it -- and you probably have a
          4   more scientific term for this.  I would say
          5   unexpurgated code.
          6        A.     It could be either.
          7        Q.     What was it, in fact, in the three
          8   instances?
          9        A.     I'm not sure which one it would
         10   have been.
         11        Q.     Okay.
         12        A.     Generally, we would have taken what
         13   we had --
         14        Q.     Got you.
         15        A.     -- what we would have developed
         16   ourselves in our own internal experimentation,
         17   and if that had comments in it, then the
         18   comments would probably be there when we
         19   disclosed it.  If it didn't when we were
         20   working with it internally, then probably it
         21   would not.
         22        Q.     But you can't remember as you sit
         23   here today?
         24        A.     I can't remember the specific cases
         25   what -- what the situation was.

          1                   EDWARD FELTON
          2        Q.     Do you have data within your
          3   possession or control in some form that would
          4   give you an answer to that if you were able to
          5   look?
          6        A.     I might be able to.  We -- we may
          7   have access to some of the initial disclosures.
          8   I don't think we have them all.
          9        Q.     And when you say we might have
         10   access, what do you mean?
         11        A.     What I mean is that if things were
         12   sent in e-mail there might be -- there might be
         13   -- I might still have copies of some of the
         14   e-mail, for example.
         15        Q.     Okay.
         16               And again, we are not -- just to be
         17   clear, we are not talking about the disclosure
         18   of the vendor, we are talking about the initial
         19   public disclosure?
         20        A.     Right, the initial public
         21   disclosure, that's right.
         22        Q.     Okay.
         23               Now -- and those e-mails would be
         24   resident somewhere on a computer somewhere at
         25   Princeton somewhere within your office area or

          1                   EDWARD FELTON
          2   your lab?
          3        A.     If I have them, yes.
          4        Q.     Yeah.  I understand.  Okay.
          5               Now, in the three instances that
          6   we're talking about, to the best of your
          7   recollection was -- what was the code that was
          8   part of the initial public disclosure; was it
          9   code of the system that had the flaw, was it
         10   code of the thing that enabled you to detect
         11   the flaw or was it something else?
         12        A.     It would not have been code of the
         13   flawed system, because we did not have
         14   permission.  In most cases we did not have
         15   source code for the flawed system, and in cases
         16   where we did, we did not have permission to
         17   publish it.
         18        Q.     Okay.
         19        A.     That is, you know, we had received
         20   it under some kind of confidentiality agreement
         21   or under some kind of license that did not
         22   allow us to republish it.  So it would have
         23   been code -- it would have had to have been
         24   code related to the exploitation of the
         25   vulnerability or demonstration of it.

          1                   EDWARD FELTON
          2                   MR. HART:  Okay.  Can you just
          3               read the last answer back?  And,
          4               again it's my brain, not your
          5               testimony.
          6                   (Record read)
          7        Q.     Okay.
          8               So again, focusing on the three
          9   instances approximately where you were the
         10   discoverer of the flaw, where the initial wave
         11   of public disclosure included code in one form
         12   or another --
         13        A.     Mm-hmm.
         14        Q.     -- it's your testimony that you did
         15   not disclose the code of the system because you
         16   got access to the system code or the system
         17   itself by either confidentiality agreement or
         18   license; is that --
         19        A.     That's right, yes.
         20        Q.     Okay.
         21        A.     In -- some companies have policies
         22   in which they will provide source code for
         23   products to any academic researcher under some
         24   kind of confidentiality agreement, and under
         25   some cases we had that -- that kind of

          1                   EDWARD FELTON
          2   arrangement.  So I don't -- I didn't mean to
          3   imply that it was a special arrangement made
          4   between the vendor and us necessarily.
          5        Q.     Got you.
          6        A.     It may have been a sort of blanket
          7   one that they make available to everyone in the
          8   academic community.
          9        Q.     Fair enough.
         10               But just to be clear, with respect
         11   to the three instances where the initial public
         12   disclosure involved the publication of code in
         13   one form or another, in each of those three
         14   instances you had gotten access to the system
         15   or to the system code through some kind of
         16   license or confidentiality agreement?
         17        A.     To the source code.
         18        Q.     Okay.
         19        A.     Via -- right.
         20        Q.     Okay.
         21        A.     Either I or my boss had signed a
         22   piece of paper promising not to publish that
         23   code.
         24        Q.     Got you.  Okay.
         25               And you said that was disclosed,

          1                   EDWARD FELTON
          2   therefore, in the initial wave of public
          3   disclosure as not the source code of the system
          4   but rather what?
          5        A.     Source code that was needed in one
          6   way or another to discuss or demonstrate the --
          7   the vulnerability that we -- that we were
          8   disclosing.
          9        Q.     Okay.
         10               And can you tell me as you sit here
         11   today with respect to the three -- or
         12   approximately three instances that we're
         13   talking about, what in each of those three
         14   instances was included in the dissemination,
         15   how much code, what did it reveal?
         16        A.     No, I can't tell you the specifics
         17   as I sit here today.
         18        Q.     Okay.
         19               Can you tell me generalities?
         20        A.     Well, in general we would disclose
         21   --
         22                   MR. GARBUS:  I think he's
         23               answered that already.
         24        A.     -- whatever we thought was
         25   necessary in order to -- in order to

          1                   EDWARD FELTON
          2   communicate the message that we were trying to
          3   communicate, the nature of the vulnerability.
          4        Q.     Got you.
          5        A.     The fact that the -- what the risk
          6   was to -- to members of the public, what the
          7   cause of the vulnerability might have been and
          8   so on.
          9        Q.     Okay.  I'm sorry.  I didn't mean to
         10   --
         11        A.     That's all.
         12        Q.     Cool.
         13               When you say to alert the public in
         14   each of these three instances, what was the
         15   concern for public safety or security?
         16        A.     Well, there are several aspects to
         17   that.  There are several reasons to alert the
         18   public in this sort of situation.
         19               One is that members of the public
         20   were using software systems which made them
         21   vulnerable, and we thought they had a right to
         22   know that, to understand what the nature of the
         23   vulnerability was, what the conse -- possible
         24   consequences were.
         25               Also, we thought that the public

          1                   EDWARD FELTON
          2   had a -- a need to sort of understand the track
          3   record of the various vendors over time.
          4        Q.     Okay.
          5        A.     And understand that.
          6               We felt the people who were
          7   thinking about buying into a particular
          8   technology in one way or another, either by
          9   using it, by partnering with the vendor, by --
         10   or whatever way, had a right to understand what
         11   they were getting.  And we also believed that
         12   discussion of these sorts of vulnerabilities
         13   leads to progress in understanding how to build
         14   better systems.
         15        Q.     Okay.
         16               And all of these considerations
         17   that you just described in your last answer
         18   were applicable in the initial public
         19   disclosure of the flaw in the three instances
         20   where we're talking about where code was
         21   present in one form --
         22        A.     That's why we -- the reasons I gave
         23   you were why we communicate with the public
         24   about these things --
         25        Q.     Okay.

          1                   EDWARD FELTON
          2        A.     -- and whatever disclosures we make
          3   in general are motivated by those -- by those
          4   goals.  So without going into specifics
          5   because, as I said, I don't remember the
          6   specific circumstances in detail --
          7        Q.     Right.
          8        A.     -- we -- in each of these
          9   situations we would have done what we thought
         10   were best to achieve those goals.
         11        Q.     Got you.  Okay.
         12               Now, in each of the three instances
         13   where there was an initial public disclosure
         14   that included some code in one form or another,
         15   okay, did any of those three involve the making
         16   available to the general public of some kind of
         17   executable utility that would enable people to
         18   use that utility to take advantage of the flaw?
         19        A.     By "executable utility," you mean
         20   object code --
         21        Q.     Well --
         22        A.     -- in particular or what?
         23        Q.     Yeah, I guess.  And obviously you
         24   have a little bit more expertise in that area
         25   than I do, so I apologize for my clumsiness.

          1                   EDWARD FELTON
          2               But when I say an "executable
          3   utility," what I mean is software that is
          4   operable to do a machine function or a process.
          5   And specifically in this context, despite my
          6   question, I'm talking about software that's
          7   operable on a machine to actually take
          8   advantage of the flaw that was discovered.
          9                   MR. GARBUS:  Can I have the
         10               question read?
         11                   (Record read)
         12                   MR. GARBUS:  I object to the
         13               question.  I think the witness has
         14               already answered it.
         15                   MR. HART:  Okay.  I don't want
         16               you to testify, Marty.  I'd like an
         17               answer to the question.
         18                   MR. GARBUS:  Okay, but --
         19                   MR. HART:  Marty, if you have
         20               an objection, state the objection
         21               briefly.  I do not want you
         22               coaching the witness.
         23                   MR. GARBUS:  I don't care to be
         24               lectured.
         25                   MR. HART:  I'm not lecturing.

          1                   EDWARD FELTON
          2                   MR. GARBUS:  I'm objecting to
          3               the question on the grounds that
          4               the witness has already answered
          5               the question.
          6                   MR. HART:  He has not.  Are you
          7               instructing him?
          8                   MR. GARBUS:  I have no
          9               objection to allowing the witness
         10               to answer the question.  I am not,
         11               in any objection that I make, going
         12               to tell this witness not to answer
         13               any question.
         14                   MR. HART:  Good.  So can I have
         15               an answer?
         16                   MR. GARBUS:  I'm entitled to
         17               state the grounds for my objection,
         18               and I would appreciate it if you
         19               would not interrupt me.  Go ahead,
         20               Mr. Felten.
         21                   MR. HART:  Thank you,
         22               Mr. Garbus.
         23        A.     Okay.  There's a distinction here
         24   between exploiting the vulnerability and
         25   demonstrating it --

          1                   EDWARD FELTON
          2        Q.     Okay.
          3        A.     -- okay, which I want to draw.
          4        Q.     Okay.
          5        A.     And by "demonstrating" what I mean
          6   is showing that -- showing that the flaw or the
          7   vulnerability exists by actually doing
          8   something which -- which the designers of the
          9   system say is supposed to be impossible.
         10        Q.     Mm-hmm.
         11        A.     And by "exploiting" I mean using
         12   that capability of violating the designer's
         13   rules to actually do something which is illegal
         14   or damaging.
         15        Q.     Got you.
         16        A.     So we would not distribute code
         17   which -- which breaks the law, say, which
         18   allows you to break into someone else's
         19   computer, but we would -- but we would, if --
         20   in certain circumstances distribute code which
         21   demonstrated that the rules could be violated.
         22        Q.     Okay.
         23               And appreciating the distinction
         24   that you just made --
         25        A.     Yes.

          1                   EDWARD FELTON
          2        Q.     -- how do you -- how did you do
          3   that in actuality?
          4        A.     So, let me give an example, okay?
          5   Suppose that -- suppose that we had found a
          6   flaw which let someone construct a Web page
          7   such that when someone views the Web page the
          8   Web page can sort of take over their Web
          9   browser and do whatever the constructor of the
         10   page wants it to do, okay?  So you can
         11   demonstrate that by making a Web page which,
         12   say -- by making a Web page which demonstrates
         13   that it can create some harmless file on the
         14   person's machine.
         15        Q.     Right.
         16        A.     As opposed to something which
         17   actually seizes control of their machine.
         18        Q.     Okay.  Let's -- that's an
         19   instructive example.
         20        A.     So it steps outside the rules of
         21   what the browser's security system says is
         22   supposed to be possible, and it does something
         23   which demonstrates that those rules are not
         24   enforced.
         25                   (Record read)

          1                   EDWARD FELTON
          2        Q.     I just want to concretize what you
          3   said in the context of the specific ones you've
          4   -- the situations you were involved in.  And
          5   you gave an instructive example.
          6               With respect to the three where
          7   some code was included in the initial public
          8   disclosure of the weakness of the system, was
          9   there public dissemination of computer code
         10   that was functional code to enable someone to
         11   defeat the system or to take advantage of the
         12   flaw?
         13        A.     Well, whatever code we would have
         14   distributed would be functional code in the
         15   sense that I'm taking from your previous
         16   explanations and the questions, that is, code
         17   which actually describes or specifies behavior.
         18        Q.     Right.
         19        A.     That's what code is designed to do,
         20   to describe behavior.
         21        Q.     Got you.
         22        A.     And -- I'm sorry.  Could I repaet the
         23   question back then?
         24        Q.     Well, let me -- let me ask it a
         25   different way, because I think we're getting

          1                   EDWARD FELTON
          2   hung up unnecessarily here.
          3                   MR. GARBUS:  That was the basis
          4               of my previous objection, that you
          5               were not understanding what the
          6               witness was saying.  And that's why
          7               --
          8                   MR. HART:  Well, I think I am,
          9               Marty.
         10                   MR. GARBUS:  -- and that's why
         11               --
         12                   MR. HART:  I don't need to be
         13               lectured either.  So if you have an
         14               objection, make it.  Otherwise,
         15               let's proceed.
         16                   MR. GARBUS:  And that's why
         17               there is confusion.
         18                   MR. HART:  I don't think there
         19               was any confusion, Marty.  If you
         20               have an objection, make it.
         21               Otherwise, let's proceed.
         22        Q.     You said all code is functional to
         23   some degree.
         24        A.     Yes.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2        A.     In the sense that it describes
          3   behavior, it has that -- it has that aspect.
          4   It's functional in the sense that it describes
          5   a particular thing the computer could do.
          6        Q.     Okay.
          7               What I'm trying to get at here in
          8   the three instances that we've been focused on
          9   for the last 15 or 20 minutes is whether as
         10   part of the initial public disclosure you or
         11   the people you worked with disseminated
         12   software that was immediately operable in
         13   someone else's computer to take advantage of
         14   the flaw or the defect in the system.
         15                   MR. GARBUS:  Object to the form
         16               of the question.
         17        A.     Not immediately operable in the
         18   sense that it was not object code.
         19        Q.     Okay.
         20        A.     And again, I don't -- I don't
         21   recall the specifics of these situations, but
         22   in general as I said, our policy was to include
         23   whatever we thought needed to be included to --
         24   to make the points to -- to satisfy the goals
         25   that -- that we were trying to satisfy in

          1                   EDWARD FELTON
          2   disclosing the -- and discussing the
          3   vulnerability.  And so to the extent that that
          4   required us to -- to disclose code, then we
          5   did.
          6        Q.     Okay.
          7               But in disclosing code, were you
          8   cognizant of trying to avoid providing
          9   something to people that could be used to take
         10   advantage of the flaw?
         11        A.     That was --
         12                   MR. GARBUS:  I object to the
         13               question.  It's already been asked
         14               and answered.
         15        A.     That was -- that was one of the
         16   things we took into account in deciding what to
         17   disclose or what to discuss publicly.
         18        Q.     And we've been making a distinction
         19   so far between what I think was the initial
         20   public disclosure --
         21        A.     Yes.
         22        Q.     -- versus what was later disclosed?
         23        A.     Yes.
         24        Q.     Okay.
         25               Now I'd like to go to the -- what

          1                   EDWARD FELTON
          2   was later disclosed --
          3        A.     Okay.
          4        Q.     -- and essentially ask you the same
          5   question, which is in terms of disseminating to
          6   the public code in any form in these later
          7   disclosures, whether you made available to the
          8   general public an executable utility or some
          9   other piece of software that enabled people to
         10   take advantage of the flaw as opposed to merely
         11   illustrating the flaw?
         12        A.     In -- in general, the later
         13   discussions were in more detail.  They had more
         14   technical details in them, they were lengthier,
         15   and we had more time to prepare them.  So there
         16   would be more detail there than was in the
         17   initial -- initial discussions.
         18        Q.     Okay.
         19        A.     Also, given that time would usually
         20   pass before the later, say, academic
         21   publications or magazine articles would become
         22   available, there would be perhaps new versions
         23   of the software, of the flawed software out
         24   there, and that would also factor into our
         25   calculations.

          1                   EDWARD FELTON
          2        Q.     Got you.
          3        A.     So, in general, there would have
          4   been more disclosure of details of
          5   vulnerability --
          6        Q.     Okay.
          7        A.     -- of vulnerabilities in the later
          8   discussion.
          9                   MR. GARBUS:  Can we take a
         10               bathroom break after your next
         11               question?
         12                   MR. HART:  After a couple of
         13               next questions, absolutely.  Let me
         14               just kind of try and wrap up this
         15               area of inquiry.  I appreciate your
         16               candor.
         17        Q.     Is it fair to say that with respect
         18   to any of the situations where you were the
         19   discoverer of system flaw that at no time,
         20   whether in the initial public disclosure or in
         21   any subsequent disclosure, did you make
         22   available an object code utility or an
         23   executable computer program that enabled people
         24   to take advantage of the flaw?
         25        A.     We -- in the instances that we were

          1                   EDWARD FELTON
          2   in, we were able to show how to demonstrate the
          3   flaw without -- without exploiting it to do
          4   damage.
          5        Q.     Got you.
          6        A.     There is no doubt, though, that
          7   discussing how to demonstrate the flaw provides
          8   information that someone could use in a harmful
          9   way.
         10        Q.     Got you.
         11               But do you see in your mind,
         12   professionally speaking, a difference between
         13   providing information describing a flaw and
         14   providing basically a tool that enables people
         15   to take advantage of the flaw?
         16        A.     I think there is a difference
         17   between those things.  It depends on the
         18   circumstances whether it's possible, for
         19   example, to demonstrate a flaw without also
         20   providing a way to -- to exploit it.
         21        Q.     Got you.
         22        A.     A demonstration plus some other
         23   steps may be an exploitation.
         24        Q.     Got you.
         25               But in all of the --

          1                   EDWARD FELTON
          2                   MR. HART:  Please.
          3        Q.     But in all of the 12 instances
          4   where you were the discoverer of the flaw and
          5   you were involved in one way or another in the
          6   ultimate public disclosure of that flaw, in no
          7   instance did you find it necessary to provide
          8   people with the tool to take advantage of the
          9   flaw in order to describe it, discuss it,
         10   illustrate it or analyze it, right?
         11                   MR. GARBUS:  I'll object to it.
         12               That's not what the witness has
         13               testified to.  That's an
         14               oversimplification.
         15        A.     We did not provide -- we never
         16   provided a tool which let someone -- which gave
         17   someone all of the steps of breaking into
         18   someone's computer and doing damage.
         19        Q.     And you -- you deliberately avoided
         20   doing that; isn't that true?
         21        A.     That's correct.
         22        Q.     Thank you.
         23        A.     We did provide the information that
         24   -- that we thought the people -- the public
         25   needed in order to understand the situation, in

          1                   EDWARD FELTON
          2   order to further research.  And that did
          3   include code which demonstrated the flaw, which
          4   would mean it included necessarily one or some
          5   of the steps that someone would need to do
          6   damage.
          7        Q.     Got you.  Thanks.
          8                   MR. GARBUS:  Can we take our
          9               break?
         10                   MR. HART:  We are going to take
         11               our break now.  I thank you.
         12                   THE VIDEOGRAPHER:  Off the
         13               record, 11:43.
         14                   (Brief recess taken)
         15                   THE VIDEOGRAPHER:  Back on the
         16               record, 11:59.
         17                   MR. HART:  Everybody ready?
         18                   MR. GARBUS:  Yes.
         19                   MR. HART:  Do you want to put
         20               your mike back on there, Marty?
         21                   MR. GARBUS:  I'm not doing very
         22               much talking, so I'm sure it's not
         23               necessary.  Go ahead.
         24                   MR. HART:  Promises, promises.
         25        Q.     Have you ever had occasion to

          1                   EDWARD FELTON
          2   examine what's referred to as DeCSS?
          3        A.     Yes.
          4        Q.     When did you first do that?
          5        A.     I don't recall precisely.  I would
          6   estimate maybe six months ago.
          7        Q.     Okay.
          8               I'm -- six months ago means roughly
          9   when?
         10        A.     Means either early this year or
         11   perhaps the end of 1999.
         12        Q.     Okay.
         13               And was this prior to your lunch
         14   meeting with Mr. Garbus and Mr. Appel?
         15        A.     Yes, it was well before that.
         16        Q.     Okay.
         17               And where did you get access to
         18   DeCSS in order to examine it?
         19        A.     I did a Web search and found a site
         20   that had it.
         21        Q.     Okay.
         22               Do you recall which site had it?
         23        A.     No.
         24        Q.     What form was it in?
         25        A.     What I got was in the form of a zip

          1                   EDWARD FELTON
          2   file that had source code and object code for
          3   DeCSS along with a couple other related things.
          4   There was something called CSSAuth and there
          5   was something called LIVID.
          6        Q.     LIVID?
          7        A.     LIVID, L-I-V-I-D.
          8        Q.     And did you examine CSSAuth?
          9        A.     I believe I did.
         10        Q.     And what is it?
         11        A.     I don't recall now.
         12        Q.     Did you examine LIVID?
         13        A.     I don't remember whether I did or
         14   not.
         15        Q.     Do you recall what LIVID was?
         16        A.     I'm not sure what -- what it is.
         17   There's something in -- something in the back
         18   of my mind saying it might be a Linux video
         19   player, but I'm not sure of that.
         20        Q.     Okay.
         21               So you downloaded the files you
         22   just mentioned from a Web site?
         23        A.     A Web site which I found by Web
         24   search.
         25        Q.     Got it.

          1                   EDWARD FELTON
          2               Do you still have those downloads
          3   on your computer today?
          4        A.     Yes.
          5        Q.     Okay.
          6               What have you done with them?
          7        A.     I have -- I've read the material --
          8   with respect to DeCSS I've read the -- there
          9   was -- there was a file in the distribution
         10   which was a readme or some sort of descriptive
         11   -- short descriptive file saying what was
         12   there.  I have read the source code, I ran the
         13   object code.  It didn't do anything on my
         14   computer because I don't have a DVD drive.
         15               With respect to CSSAuth, I believe
         16   that I read descriptive files and source code,
         17   as well.
         18        Q.     Okay.
         19               When you say descriptive files in
         20   source code?
         21        A.     And source code.
         22        Q.     Oh, and source code.  Okay.
         23        A.     So a readme file and whatever --
         24   whatever it is that was there.
         25        Q.     So that's what I want to come back

          1                   EDWARD FELTON
          2   to.  You said in the early part of your answer
          3   there was a readme file.  That was in English?
          4        A.     That's right.  Just saying -- what
          5   I recall is it said something like here's a
          6   list of the files that are here and this is
          7   what each one is --
          8        Q.     Got you.
          9        A.     -- or some such thing.
         10        Q.     Okay.
         11               And what was your purpose in
         12   looking at the source code and in running the
         13   executable utility, if you will?
         14        A.     First with respect to looking at
         15   the source code, I had read and heard about CSS
         16   and the flaws that had been found in it, and I
         17   wanted to find out more about that.  And so one
         18   of the things I wanted to do, one of things
         19   that made sense for me to do was to get the
         20   code and understand what it did.  I also looked
         21   at that code in conjunction with Frank
         22   Stephenson's paper at one point --
         23        Q.     Okay.
         24        A.     -- again, to understand what this
         25   thing did, to understand how CSS worked, how

          1                   EDWARD FELTON
          2   the corresponding decryption process worked,
          3   and to see for myself what the flaws were that
          4   were there and that were described in
          5   Stephenson's paper.
          6        Q.     Okay.
          7               And what was your purpose in
          8   running the utility?
          9        A.     I wanted to see whether I could
         10   tell what it did on a machine that did not have
         11   a -- a DVD drive.  And it turns out, as far as
         12   I can tell it doesn't do anything if you don't
         13   -- it didn't do anything on my machine as far
         14   as I can tell.
         15                   MR. HART:  Let the record
         16               reflect we have an interruption.
         17                   (Brief interruption)
         18                   MR. HART:  Let's read the last
         19               answer back.  I was distracted.
         20               I'm easily distracted as Marty
         21               knows.
         22                   (Record read)
         23        Q.     And was there any value, then, in
         24   running DeCSS on your machine as far you were
         25   concerned?

          1                   EDWARD FELTON
          2        A.     It turned out that there was no
          3   value to me in the -- in the very brief
          4   experiment I did.  Had I had a DVD drive, I --
          5   there would have been value because this would
          6   have provided a demonstration of that -- of the
          7   -- of the flaw in -- in DeCSS.
          8        Q.     Got you.
          9        A.     That's the kind of demonstration
         10   that I was talking about before when I talked
         11   about code which demonstrates that a flaw
         12   exists.  It would have enabled me to go take
         13   some files off a DVD and verify that they were
         14   actually the content that was originally on the
         15   DVD.  So I could have been able to verify for
         16   myself without understanding a lot of theory
         17   that what people were saying about the
         18   weaknesses in CSS was right.
         19        Q.     Okay.
         20               So what is it, to your
         21   understanding, that DeCSS does?
         22        A.     My understanding of what it does is
         23   that it -- it allows you to take files which
         24   are stored on a DVD disc and copy them onto,
         25   say, the hard drive of your computer.

          1                   EDWARD FELTON
          2        Q.     And in doing that, does it decrypt
          3   CSS?
          4        A.     Yes, it does -- it does perform
          5   decryption as part of that operation.
          6        Q.     Okay.
          7        A.     Of course, decryption is necessary
          8   in order to get the files onto the -- onto the
          9   hard drive in a form where they're -- they're
         10   usable for many of the purposes that I might
         11   want to put them to if I were the owner of a
         12   DVD.
         13        Q.     Do you own a DVD player?
         14        A.     No, I don't.
         15        Q.     Do you own a VHS type VCR?
         16        A.     Yes.
         17        Q.     Okay.
         18               How many computers do you have or
         19   have access to in your ordinary routine?
         20        A.     Let me think.  I have -- in my
         21   office at work I have one computer.  There is
         22   also a lab that has maybe 10 computers in it.
         23   At home -- this is embarrassing -- I think five
         24   computers.
         25                   MR. GARBUS:  All for your

          1                   EDWARD FELTON
          2               child.
          3        Q.     Are any of those computers
          4   operating using the Linux operating system?
          5        A.     Yes.
          6        Q.     Which ones?
          7        A.     One of the machines in my home runs
          8   Linux and some of the -- some of the 10 in my
          9   lab run Linux, maybe three or four would be my
         10   -- would be my estimate.
         11        Q.     Okay.
         12               And do you also have Windows-based
         13   operating system on any of your home computers?
         14        A.     Yes.
         15        Q.     Okay.
         16               And what about in the lab?
         17        A.     Yes, there are some Windows
         18   machines in the lab.
         19        Q.     And what about the computer that's
         20   in your office, what operating system does that
         21   use?
         22        A.     Windows.
         23        Q.     It's a Windows system.  Okay.
         24               And what kind of Internet
         25   connection do you have, if any, with respect to

          1                   EDWARD FELTON
          2   your office computer?
          3        A.     The office computer is connected to
          4   our departmental network --
          5        Q.     Okay.
          6        A.     -- which inside the department is
          7   100 megabits per second.
          8        Q.     Okay.
          9               And what about with respect to the
         10   five computers you have at home, what kind of
         11   Internet connection or connections do you have
         12   with respect to any of them?
         13        A.     The connection from my home is a
         14   DSL connection which goes to the computer
         15   science department at Princeton.
         16        Q.     Okay.
         17        A.     And that -- so that between my home
         18   and Princeton I get about perhaps 2 megabits
         19   per second.
         20        Q.     Okay.
         21               Do you have any other Internet
         22   connection at home?
         23        A.     No.  And it's usual -- I should
         24   say, all of those -- the bandwidth I'm quoting
         25   are internal.  That's from one place in the

          1                   EDWARD FELTON
          2   building to another place in the building.
          3   That's not the bandwidth to arbitrary places on
          4   the Net.
          5        Q.     But the bandwidth that you're
          6   talking about which is what, somewhere between
          7   2 megabytes a second to 100 megabytes per
          8   second, depending on whether we're talking
          9   about the DSL at home or the one in your
         10   office?
         11        A.     Megabits per second.
         12        Q.     I'm sorry.  Excuse me.  I
         13   apologize.
         14               Those allow you to connect through
         15   a network to Princeton University?
         16        A.     Just within the computer science
         17   department at those rates.
         18        Q.     I see.
         19               And what about the rest of the
         20   university?
         21        A.     I don't know exactly what kind of
         22   connectivity we have to the rest of the
         23   university.  I know there is at least one link
         24   between our department's network and the
         25   university's backbone, I guess.  But that, of

          1                   EDWARD FELTON
          2   course, is shared with everyone else in the
          3   department.
          4        Q.     All right.
          5               You're saying you have no specific
          6   knowledge of the network --
          7        A.     But I don't know specifically how
          8   fast that is.
          9        Q.     Okay.  I'm sorry.  Let me finish
         10   the question and then you can give the answer
         11   --
         12        A.     Okay.
         13        Q.     -- just to make the record clear.
         14               You have no specific knowledge
         15   concerning the network at Princeton that's
         16   available to people outside of the computer
         17   department, for example, like students, and the
         18   connectivity and the speeds and the bandwidth
         19   of that facility?
         20        A.     I think I know generally what's
         21   available to people within their own little
         22   area of the network, but I don't understand how
         23   the various local networks -- I don't
         24   understand in detail how the various local
         25   networks are connected together.

          1                   EDWARD FELTON
          2        Q.     Okay.
          3               And among the local networks that
          4   you have some understanding of, would that
          5   include networks that students have access to
          6   from dorm rooms or other?
          7        A.     I'm generally familiar with dorm
          8   room networks.
          9        Q.     And what's the bandwidth of those,
         10   to your knowledge?
         11        A.     A typical bandwidth would be 10
         12   megabits per second on a shared link.
         13        Q.     As opposed to a switched link?
         14        A.     That's correct.
         15        Q.     Now, are the various dorm rooms set
         16   up so that each floor is a shared link unto
         17   itself, and then each floor is separately
         18   switched?
         19        A.     I don't know.
         20        Q.     You don't know the overall network
         21   configuration?
         22        A.     I don't know those details, no.
         23        Q.     Okay.  That's fine.  Fine.
         24               Do you have any knowledge of video
         25   compression technologies?

          1                   EDWARD FELTON
          2        A.     Only in a very general way.
          3        Q.     Generally, what do you know if you
          4   can sum it up?
          5        A.     Well, I know that it's -- it's
          6   possible to compress video and to get some --
          7   some -- a modest -- relatively modest amount of
          8   compression out of them.  I know that video
          9   compression technologies are widely used
         10   because video files are so big.
         11        Q.     Does that sum up the state of your
         12   knowledge in video codex?
         13        A.     In general.  I know some of the
         14   acronyms and buzzwords, as well, but I'm not an
         15   expert by any means.
         16        Q.     Give me some of the acronyms that
         17   are?
         18        A.     Well, a compression mechan --
         19   compression algorithms like MPEG and the
         20   various versions of MPEG, for example, are
         21   widely used.  I know that some of my colleagues
         22   do research into video compression algorithms,
         23   but I'm not really up on their work.
         24        Q.     Okay.
         25               Have you ever heard of Divx?

          1                   EDWARD FELTON
          2        A.     Yes, I've heard of it.
          3        Q.     Do you know anything about it?
          4        A.     I don't -- I don't understand it in
          5   any detail.
          6        Q.     You do you know if it's widely
          7   available?
          8        A.     I don't know that.
          9                   MR. GARBUS:  I object to the
         10               use of the word "widely."
         11                   THE WITNESS:  I don't know how
         12               widely available it is.
         13        Q.     Okay.
         14               Now, did you ever have any
         15   communications with Eric Corley or Emmanuel
         16   Goldstein?
         17        A.     No.
         18        Q.     Do you know who that is?
         19        A.     Yes.  I understand that that's one
         20   person.
         21        Q.     That's a start.
         22        A.     And that he's one of the defendants
         23   in this case.
         24        Q.     Okay.
         25        A.     And that he is the publisher or

          1                   EDWARD FELTON
          2   otherwise associated with 2600 Magazine.
          3        Q.     Had you ever heard of 2600 Magazine
          4   before, let's say, your luncheon meeting with
          5   Mr. Garbus?
          6        A.     Yes, yes.
          7        Q.     Had you ever read it before?
          8        A.     Yes.
          9        Q.     Had you ever visited the 2600 Web
         10   site before your luncheon meeting with
         11   Mr. Garbus?
         12        A.     Yes.
         13        Q.     And I'm sorry, you may have
         14   answered this.  I apologize.
         15               Can we place a rough date on your
         16   luncheon meeting with Mr. Garbus?
         17        A.     It was a couple months ago.  That's
         18   the best I can do.
         19        Q.     Okay.
         20               And can you give me the gist of
         21   what was said at that luncheon meeting?
         22        A.     Sure.  There was some general
         23   discussion about this case, and Professor Appel
         24   was present at the lunch along with Mr. Garbus
         25   and me.  And so -- and at that point Mr. Garbus

          1                   EDWARD FELTON
          2   had discussed, I understand, in the past with
          3   Professor Appel, the possibility of his
          4   testifying.  And so there was some discussion
          5   about that.
          6               There was some discussion about
          7   what the case was about in general, issues of
          8   schedule.
          9               There was some discussion about the
         10   -- the topics that were discussed in a paper
         11   that Professor Appel and I wrote and submitted
         12   to the Copyright Office and then later to
         13   Communications of the ACM, and there was, I
         14   think, also some discussion of issues involved
         15   in a -- in declarations that Professor Appel
         16   had written in other cases previously relating
         17   to the role of source code as a means of
         18   expression for computer scientists.
         19        Q.     Okay.
         20               Were there areas of potential
         21   testimony or analysis that were focused on you,
         22   Ed Felten?
         23        A.     I -- I think there was a general
         24   discussion of my background and what my areas
         25   of specialization were and so on.  But I don't

          1                   EDWARD FELTON
          2   recall anything more specific than that.
          3        Q.     There was no discussion of areas
          4   where you might be qualified to testify in the
          5   case or provide a declaration at that luncheon
          6   meeting?
          7        A.     I don't remember any discussion at
          8   that lunch meeting except that at the very end
          9   there was a very brief exchange about whether I
         10   might potentially be interested in testifying.
         11        Q.     And did you -- who -- who asked you
         12   whether you might potentially be interested in
         13   testifying, Mr. Garbus?
         14        A.     Mr. Garbus.
         15        Q.     Okay.
         16               And did you respond to that query?
         17        A.     Yes.  I said that I was interested
         18   in discussing it more.
         19        Q.     Okay.
         20        A.     But not a yes or no.
         21        Q.     Okay.
         22               Was there anyone else present at
         23   the luncheon aside from you, Appel and Garbus?
         24        A.     No.
         25        Q.     When did you next have occasion to

          1                   EDWARD FELTON
          2   speak to anyone or communicate with anyone
          3   regarding this case or your involvement in it
          4   like an e-mail or in-person or telephonic?
          5        A.     I talked to Professor Appel not
          6   long after that -- I'll wait.
          7                   (Brief interruption)
          8        Q.     Okay.
          9        A.     Now that the tape is back, I talked
         10   to Professor Appel not long after that -- that
         11   lunch that I just referred to --
         12        Q.     Okay.
         13        A.     -- in general about -- about the
         14   possibility of me testifying.
         15        Q.     Okay.
         16        A.     That was, I think, the next
         17   discussion.
         18        Q.     Okay.
         19               To your knowledge, had Professor
         20   Appel already committed to testifying in this
         21   case?
         22        A.     I don't know whether he had
         23   committed or not.
         24        Q.     All right.
         25               Did Professor Appel encourage you

          1                   EDWARD FELTON
          2   in any way to testify in this case?
          3        A.     No, I don't think he did.  I don't
          4   think he expressed an opinion one way or the
          5   other about whether I should or should not.
          6        Q.     Did you have any discussion with
          7   Professor Appel in any way about whether you
          8   should or should not?
          9        A.     I don't think I did, no.
         10        Q.     So what was discussed with Appel
         11   regarding your involvement in the case?
         12        A.     Information about the case, what he
         13   might be -- what he was expecting to testify
         14   about, which areas and so on.
         15               One of the things that I wanted to
         16   understand was, you know, what -- where -- the
         17   extent to which my testifying would sort of add
         18   to what he was saying.
         19        Q.     Okay.
         20        A.     Whether --
         21        Q.     I'm sorry.  Go ahead.
         22        A.     Whether there were areas, relevant
         23   areas in which I had expertise beyond his.
         24        Q.     Okay.
         25        A.     So I wanted to understand what he

          1                   EDWARD FELTON
          2   might talk about.
          3        Q.     Okay.
          4               Were you able to identify during
          5   that conversation with Professor Appel any
          6   areas where you might add to what he had to
          7   offer?
          8        A.     I'm not sure whether I identified
          9   things during the conversation, but I
         10   eventually came to an understanding about that.
         11        Q.     And when did you come to an
         12   understanding about that?
         13        A.     I think it happened over a period
         14   of time starting after the -- the lunch meeting
         15   that we talked about and going forward for, I
         16   don't know, some period of weeks probably.
         17        Q.     Okay.
         18               And you are in pretty much daily
         19   contact with Professor Appel when you're both
         20   in the office, is that right?
         21        A.     More or less, yeah.  We -- probably
         22   more -- I speak to him the majority of days
         23   about one thing or another.
         24        Q.     Okay.
         25               Your offices are adjacent to each

          1                   EDWARD FELTON
          2   other?
          3        A.     Down the hall.
          4        Q.     Right.  Okay.  Okay.
          5               And did you speak with anyone else
          6   other than Professor Appel in trying to clarify
          7   or crystallize in your mind what things you
          8   might be able to add to what he might testify
          9   to?
         10        A.     Yes.  I later spoke to Mr. Garbus
         11   and also Mr. Hernstadt.
         12        Q.     Okay.
         13               And can you tell me, relative to
         14   the lunch meeting, when that occurred or when
         15   those conversations occurred?
         16        A.     It would have been in a series of
         17   phone conversations between -- starting
         18   sometime after the -- the lunch meeting and
         19   going up until, say, sometime in June.
         20        Q.     Okay.
         21        A.     So I would have spoken on the phone
         22   to them a few times during that -- during that
         23   period.
         24        Q.     And is it your testimony that it
         25   was partly your own reflection, partly your

          1                   EDWARD FELTON
          2   discussions with Professor Appel and partly
          3   your discussions with Messrs. Hernstadt and
          4   Garbus that helped you sort of crystallize in
          5   your mind what areas of additional testimony
          6   you might be able offer over and above that of
          7   Professor Appel?
          8        A.     I think in understanding what I
          9   could testify about, which areas I had sort of
         10   knowledge or expertise beyond Professor Appel,
         11   it was really my discussions with him that --
         12        Q.     Got you.
         13        A.     -- that helped me understand that.
         14        Q.     Okay.
         15               But that you could ultimately wind
         16   up communicating your thoughts to
         17   Messrs. Garbus or Hernstadt on that subject?
         18        A.     We did talk about whether -- about
         19   what areas -- in what areas I -- I would be
         20   testifying, yes.
         21        Q.     Okay.
         22               In addition to that which Appel was
         23   going to cover or might cover, is that right?
         24        A.     That's right.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2               This is not a trick question.  I'm
          3   really just trying to focus on what you bring
          4   to the table, sir.
          5        A.     And also to the extent that I have
          6   some expertise in the same areas as Professor
          7   Appel, there's -- there's obviously some
          8   overlap between our testimony, as well.
          9        Q.     Okay.
         10               Can you tell me in subject matter
         11   areas what areas you discussed testifying in
         12   with Professor Appel and/or Mr. Garbus and/or
         13   Mr. Hernstadt, whether those overlapped or were
         14   separate and apart or in addition to those
         15   Appel might testify to?
         16        A.     Well, a good place to start is the
         17   -- the list of four topics -- that is in the
         18   declaration.
         19        Q.     Right.
         20        A.     And let me look at that --
         21        Q.     Sure.  Please.
         22        A.     -- and see whether there's anything
         23   else that comes to mind.
         24        Q.     Okay.
         25        A.     I -- I don't recall discussing

          1                   EDWARD FELTON
          2   anything else that's not listed here.
          3        Q.     Okay.
          4               Now, we are talking about the four
          5   subject matter categories that are identified
          6   in Paragraph 3 of your declaration that's been
          7   marked Exhibit 3, right?
          8        A.     That's right.
          9        Q.     Okay.
         10               Let's work backwards, I guess.
         11        A.     Okay.
         12        Q.     The fourth category is the
         13   relationship between studying and improving the
         14   practice of cryptography and computer security
         15   related to the foregoing.  I guess that is
         16   going to lead us into the earlier ones, but I
         17   -- is this subject matter, Number 4 in
         18   Paragraph 3, that which we were talking about a
         19   little bit earlier in terms of detecting
         20   weaknesses in systems and system security and
         21   making information concerning those weaknesses
         22   available?
         23        A.     We talked earlier about my
         24   experiences in doing that, but we did not talk
         25   about why it's valuable to the value of that

          1                   EDWARD FELTON
          2   sort of testing and that sort of discussion for
          3   education and practice in -- in security and
          4   cryptography.  So we talked about any
          5   experience, but not about the topic in general
          6   or the implications of -- of discussion.
          7        Q.     Fair enough.  And again, I'm really
          8   trying to do this to expedite things.
          9        A.     Sure.
         10        Q.     So you'll stop me if I in any way
         11   misstate anything you say, please.  But we did
         12   touch upon what I thought were your beliefs as
         13   to the value of testing security systems, if
         14   you will, and the value of making the
         15   weaknesses known.
         16               Is that part of the Subject Matter
         17   4, the relationship between studying and
         18   improving the practice of cryptography in
         19   computer security?
         20        A.     That's -- that's part of the
         21   subject matter, yes.
         22        Q.     What else in addition to what we
         23   talked about is covered by this Subject Matter
         24   4?
         25        A.     The use -- for example, the use of

          1                   EDWARD FELTON
          2   information about vulnerabilities and
          3   historical vulnerabilities, and testing and so
          4   on.  The use of all of that in education, and
          5   how these sort of activities contribute to the
          6   practice, by which I mean the making of better
          7   and stronger systems in the future.
          8        Q.     Okay.
          9        A.     That's an example of something that
         10   goes beyond what we talked about earlier.
         11        Q.     When you talk about -- I'm sorry.
         12        A.     I'm done.
         13        Q.     Okay.
         14               When you talk about the value in
         15   education, are you talking about using examples
         16   of systems and system weaknesses in the
         17   classroom with students?
         18        A.     Yes.
         19        Q.     Are these undergraduate students,
         20   graduate students or both?
         21        A.     Both.
         22        Q.     Okay.
         23               Have you, in fact, done so?
         24        A.     Yes.  That's a -- it's -- it's an
         25   important part of the security course that I

          1                   EDWARD FELTON
          2   teach.
          3        Q.     I see.
          4               And were any of the 12 instances
          5   where you were involved in the discovery of a
          6   flaw or weakness in the system, have any of
          7   those been used in your classroom work with
          8   your students?
          9        A.     Yes.  Some of them have been used
         10   specifically and also as sort of overview of --
         11   of them, also.
         12        Q.     Okay.
         13        A.     It's part of what I use in
         14   teaching.
         15        Q.     Okay.
         16               But not all of the 12 have been
         17   used in your classroom work?
         18        A.     Not all of those specifically, no.
         19        Q.     Okay.
         20        A.     I also use a number of other
         21   systems that have been found to be flawed in
         22   the past and what can be learned from that,
         23   including CSS.
         24        Q.     Okay.
         25               So we are leading to my next

          1                   EDWARD FELTON
          2   question which is, have you had occasion at any
          3   time in your classroom work with students to
          4   use DeCSS?
          5        A.     I have -- I had a discu -- there
          6   was a discussion in -- in one of my lectures in
          7   my security class in the spring semester of
          8   this year regarding CSS and DeCSS.
          9        Q.     Okay.
         10               And in the course of that
         11   discussion, did you at any time operate DeCSS
         12   as an executable utility?
         13        A.     No.  What I did was I used the
         14   knowledge which I had gotten from examining
         15   DeCSS to be able to give a -- an informative
         16   and useful lecture about it.  So the
         17   availability of that -- of that software to me
         18   allowed me to -- to teach my course better, to
         19   teach about that material.  And I did discuss
         20   with the students what CSS does, what DeCSS,
         21   does and the fact that DeCSS is available on
         22   the Net.
         23        Q.     Did you express any views about
         24   this case with your students in connection with
         25   these classroom discussions?

          1                   EDWARD FELTON
          2        A.     No.  I did mention that there was a
          3   case.  At that time I did not know -- I knew
          4   very little about the case except that it
          5   existed and that it was about the DeCSS
          6   utility.
          7        Q.     Got you.  Okay.
          8               Have you ever read the court's
          9   opinion with respect to the preliminary
         10   injunction issue in this case?  By opinion I
         11   mean sort of the reason, the judge's views of
         12   the evidence and the findings.  I don't mean to
         13   characterize it as a legal matter.  I'm just
         14   trying to describe what I'm talking about.
         15        A.     I did read it at one point,
         16   although it's pretty far back in time.  So I
         17   don't have a clear memory of what's in it.
         18        Q.     Okay.
         19               How many classroom sessions
         20   involved the discussion of CSS or DeCSS?
         21        A.     One.
         22        Q.     And was the entire class session
         23   that day devoted to that particular subject?
         24        A.     Not to CSS specifically.  That was
         25   a class which was discussing uses of encryption

          1                   EDWARD FELTON
          2   to -- to try to restrict the use of various
          3   digital content.  That topic in general.
          4        Q.     I see.
          5        A.     And one of the subtopics was CSS
          6   and the experience with it.
          7        Q.     Okay.
          8               Were there any other security
          9   systems or encryption systems that were
         10   discussed with respect to the protection of
         11   digital content, I think as you said, apart
         12   from CSS?
         13        A.     I'm sure I discussed some of the
         14   commercial software systems that are designed
         15   to do this.  I don't recall specifically which
         16   ones I talked about.
         17        Q.     Okay.
         18        A.     There is relatively little
         19   technical information available publicly about
         20   some of them, so CSS was probably the one where
         21   I had the most access to information about how
         22   the system really works.
         23        Q.     Okay.
         24               And why is it that with respect to
         25   some of these other systems there is very

          1                   EDWARD FELTON
          2   little public information available about them?
          3        A.     Some of the other systems are still
          4   in development.  Some of them may be more
          5   complicated and, at least as far as I'm aware,
          6   less information has been released or reverse
          7   engineered about the other systems.
          8        Q.     And are we talking about some of
          9   the other systems that are actually
         10   commercially in place?
         11        A.     Yes.
         12        Q.     Can you put a name to those even if
         13   you can't remember if you discussed them?
         14        A.     I can't remember whether I
         15   discussed specific ones --
         16        Q.     Fair enough.  But sitting here
         17   today --
         18        A.     Intertrust Systems is one example.
         19        Q.     Any others?
         20        A.     I'm not recalling the names of
         21   others.
         22        Q.     Okay.
         23               And you mentioned a minute ago that
         24   there were systems more complicated than CSS, I
         25   believe?

          1                   EDWARD FELTON
          2        A.     Yes.
          3        Q.     Do you regard the Intertrust System
          4   as more complicated than CSS?
          5        A.     I think it probably is.  What it is
          6   trying to do is more complicated than what CSS
          7   is trying to do.  Not having access to
          8   information about how the Intertrust System
          9   works, I can't say for sure, but it seems to me
         10   likely that it's more complicated.
         11        Q.     And what do you base that statement
         12   on?
         13        A.     The fact that it's trying to
         14   provide a more complex set of functions, more
         15   different kinds of control or ability to
         16   specify use, ability to extract payment on a
         17   per-use basis and so on.  A lot of functions
         18   like that.
         19        Q.     Got you.  Okay.
         20               Okay.
         21               Is there anything else about the
         22   relationship between studying and improving the
         23   practice of cryptography and computer security
         24   that you either intend to testify about or are
         25   prepared to testify about in connection with

          1                   EDWARD FELTON
          2   this case?
          3        A.     I can't think of anything I haven't
          4   mentioned.
          5        Q.     Let's move up to Number 3.  I
          6   promised you I'd try to do this as efficiently
          7   as possible.  This is Subpart 3 of your
          8   Paragraph 3 of our Exhibit 3 declaration, the
          9   importance of disseminating and making
         10   available information concerning the subject of
         11   such tests and the methodology and results of
         12   such testing.
         13               Now, just again, for clarity's
         14   sake, we had talked earlier about the public
         15   dissemination of information regarding flaws in
         16   systems and the like.  Is -- is that what this
         17   subject addresses?
         18        A.     In part.
         19        Q.     Okay.
         20        A.     Information about flaws, but also
         21   information about methods used to find the
         22   flaws --
         23        Q.     Okay.
         24        A.     -- and information about the sort
         25   of scientific procedures used and what the

          1                   EDWARD FELTON
          2   specific results of testing were, not just
          3   there's a flaw of this nature, but how it was
          4   found.
          5        Q.     Okay.
          6        A.     And -- and the implications of it
          7   and information about what went wrong to cause
          8   the system to be vulnerable.
          9        Q.     Okay.
         10               Do you -- are you prepared to
         11   testify to your views as to the vulnerabilities
         12   of CSS and what in your estimation,
         13   professional estimation went wrong as it were?
         14        A.     I have -- I have an understanding
         15   of some of the mistakes that the designers of
         16   the CSS made.  And so I am prepared to testify
         17   about that, not in great detail.
         18        Q.     Okay.
         19        A.     But at a basic level.
         20        Q.     Okay.
         21               And just tell me basically what
         22   your testimony would be.
         23        A.     Well, on a technical level they
         24   made a number of mistakes.  One of them was
         25   designing their own cipher instead of using a

          1                   EDWARD FELTON
          2   standard one that had been well-studied.  One
          3   was using a 40-bit key size.  One of the --
          4   there were mistakes which led to the
          5   vulnerability that Frank Stephenson described
          6   that allowed someone to find a key with less
          7   than a 40 -- a full 40-bit space search.  And
          8   there are also issues related to the
          9   description of distribution of keys which are
         10   more technical.  I have not thought about those
         11   in -- in much detail at this point.
         12        Q.     Now, you mentioned the 40-bit key
         13   size.
         14        A.     Yes.
         15        Q.     Okay.
         16               Are you aware of any sort of
         17   government regulation that was in place at the
         18   time with respect to supporting limitations on
         19   certain encryption device or codes?
         20        A.     Yes.
         21        Q.     And is it true that at the time CSS
         22   was first implemented commercially that it was
         23   subject to some sort of government regulation,
         24   again, I'm not asking for legal views, with
         25   respect to export of encryption code that was

          1                   EDWARD FELTON
          2   greater in length than 40-bit keys?
          3        A.     I know there were U.S. government
          4   export restrictions that applied more stringent
          5   rules to -- to devices that used more than
          6   40-bit keys.  Whether those rules -- how those
          7   rules applied to CSS I can't say.
          8        Q.     Fair enough.
          9               But you were generally aware of the
         10   existence of those export limitations, correct?
         11        A.     Yes.
         12                   (At this time, Mr. Gold enters
         13               the room)
         14                   MR. HART:  That's Mr. Gold.
         15               He's a colleague of mine.
         16        Q.     Now, I think the third category you
         17   mentioned -- we are not on the dec, we are in
         18   subpart --
         19        A.     Okay.
         20        Q.     -- was something about the way in
         21   which the keys were protected or the way in
         22   which the hack occurred.  Is that --
         23        A.     The way -- key management in
         24   general, which is about how you choose the
         25   keys, how many different keys there are, who

          1                   EDWARD FELTON
          2   has which keys, where they're stored and so on.
          3   And in the design of a system like CSS key
          4   management would be one of the critical issues.
          5        Q.     Okay.
          6               And when you say "key management,"
          7   what do you mean by that?
          8        A.     As I said, I guess I gave a
          9   definition a minute ago, which --
         10        Q.     Okay.
         11        A.     -- pretty much having to do with
         12   everything, how keys are generated, who has
         13   them, where they are stored and so on.
         14        Q.     And what is your understanding of
         15   key management with respect to the CSS system?
         16        A.     I don't recall the details of how
         17   it works, although I have read about that.
         18   There are -- I know there are certain keys
         19   which are stored in every DVD player, and that
         20   manufacturers of DVDs have access to certain
         21   keys.  I don't recall exactly how those fit
         22   together.
         23        Q.     And do you have any knowledge and
         24   are you prepared to testify in any way with
         25   respect to the particular circumstances of how

          1                   EDWARD FELTON
          2   CSS was -- was -- was hacked?
          3        A.     I don't have any special knowledge
          4   about that.
          5        Q.     Okay.
          6               Let me just back up and, again,
          7   this is just sort of in an effort to expedite
          8   things.  You gave an answer several questions
          9   ago where you categorized four things about
         10   Subject Matter 3 in Paragraph 3, and I want to
         11   go back to those four things.
         12               (Record read)
         13                   MR. HART:  Okay.  Good.
         14               Thanks.  That helped remind me of
         15               where we were at.
         16        Q.     Issues about key distribution.  We
         17   just talked about what you know on that
         18   subject, yes, in terms of key management
         19   relative to CSS?
         20        A.     Yes.
         21        Q.     Okay.
         22               Let's go to the topic about the
         23   mistakes and Frank Stephenson.  What can you
         24   tell me about that?
         25        A.     Sitting here right now, I don't --

          1                   EDWARD FELTON
          2   I don't recall specifically what the mistakes
          3   were that led to that.  I remember reading
          4   Stephenson's paper and verifying that with
          5   reference to the -- to the -- the code for CSS
          6   and DeCSS and understanding what the problem
          7   was, but I don't -- don't remember at the
          8   moment.
          9        Q.     And you've read Stephenson's paper,
         10   right?
         11        A.     Yes.
         12        Q.     It's available on the Internet,
         13   right?
         14        A.     It at least was when I got it.
         15        Q.     That's right.
         16        A.     That's where I got it from.
         17        Q.     Do you recall whether Stephenson
         18   included DeCSS as a zip code or downloadable
         19   utility?
         20        A.     I don't recall.
         21        Q.     Okay.
         22        A.     I do know, though -- I do recall,
         23   though, that when I was reading Stephenson's
         24   paper I made reference to the code which I had
         25   downloaded.

          1                   EDWARD FELTON
          2        Q.     And you didn't post the code?
          3        A.     No.  I didn't want to be sued.
          4        Q.     All right.
          5               Have we exhausted --
          6                   MR. GARBUS:  I object to the
          7               use of the word "exhausted."
          8                   MR. HART:  Well, I won't use it
          9               to describe you, Marty, but --
         10        Q.     Notwithstanding Mr. Garbus's
         11   objection, have we covered Subject Matter 3
         12   within Paragraph 3 insofar as you're prepared
         13   to provide testimony in this case?
         14        A.     I can't think of anything that we
         15   haven't covered.
         16        Q.     Good.
         17               Let's turn to Subject Matter 4
         18   within Paragraph 3.  And just for the record,
         19   it's the methodology, purpose and importance of
         20   testing security systems, protecting access
         21   and/or use of various computer and/or
         22   Internet-related system.  What does that mean?
         23        A.     Well, it's about how and why -- how
         24   you go about testing and studying the security
         25   level or vulnerabilities in software, how that

          1                   EDWARD FELTON
          2   process works --
          3        Q.     Okay.
          4        A.     -- both within an individual lab
          5   and sort of how the community process works
          6   among all the people working in that area.
          7        Q.     Okay.
          8        A.     And why that matters to -- to
          9   various people.
         10        Q.     Okay.
         11               So why don't you tell me what
         12   you're prepared to testify to in that regard.
         13        A.     Well, I have a lot of experience in
         14   doing this myself.  And so I'm prepared to
         15   testify about the methods that one uses, about
         16   the sort of training that someone would go
         17   through in order to learn how to do this, about
         18   the interactions between people who do this,
         19   what sort of interactions I've had with -- with
         20   colleagues elsewhere and others who are engaged
         21   in that sort of study.
         22        Q.     Right.
         23        A.     How -- how different groups of
         24   people studying the same system interact and
         25   cooperate with each other.

          1                   EDWARD FELTON
          2        Q.     Okay.
          3        A.     And then, in general, and also
          4   based on my experience, what value people --
          5   the public and -- and vendors and computer
          6   professionals in general get from that testing.
          7        Q.     Okay.
          8               This last subject, the value to the
          9   public and the vendors and the like, is
         10   something we have covered in your testimony
         11   today?
         12        A.     We've covered it in general, yes,
         13   why -- why I think it is valuable to those
         14   people.  Although I'm not sure we've covered
         15   all of the different communities who -- who get
         16   value from this sort of testing.
         17        Q.     Okay.
         18               Why don't you identify those
         19   communities for me.
         20        A.     Well, we talked about -- at least
         21   about the value that's provided to the vendors.
         22        Q.     Right.  We talked about the value
         23   to the public, correct?
         24        A.     To the public, yes.
         25        Q.     Right.

          1                   EDWARD FELTON
          2        A.     And there are also organizations or
          3   -- there are also people within organizations
          4   who are in charge of maintaining or securing
          5   the computer system, system administrators and
          6   so on.  Those people want to be able to
          7   understand the security, the implications of
          8   the choices they are making and security
          9   implications of the choices they have already
         10   made --
         11        Q.     Got you.
         12        A.     -- in deploying software.
         13        Q.     And these are people that would be
         14   aligned with the vendor role even if they don't
         15   work for a particular vendor whose systems may
         16   have been compromised?
         17        A.     Not necessarily.
         18                   MR. GARBUS:  Objection.
         19        A.     Let me give you an example of the
         20   person I'm talking about.
         21        Q.     Please.
         22        A.     And I'll do it within -- within
         23   Princeton University.
         24               There's an organization called
         25   Computing and Information Technology which sort

          1                   EDWARD FELTON
          2   of runs the networks and the public computer
          3   clusters and all of that.  And they not only
          4   handle the operations of those -- all systems
          5   but they make decisions about which software
          6   would be deployed, what the security policy is
          7   going to be, who is allowed to access what and
          8   so on.
          9               And in order to make informed
         10   decisions about what to allow and what they
         11   should -- what they should do and what they
         12   should allow their customers, their users to
         13   do, they need to understand not only specific
         14   vulnerabilities in specific systems but also to
         15   have a general sense of which kinds of systems
         16   are likely to be vulnerable, how common
         17   vulnerabilities are and so on.
         18        Q.     Okay.
         19        A.     And -- okay.
         20        Q.     That covers value and identifies
         21   the relevant communities?
         22        A.     I can think of at least one more
         23   community, which is law enforcement.
         24        Q.     Okay.
         25        A.     Law enforcement agencies are very

          1                   EDWARD FELTON
          2   keen to talk to people who have an
          3   understanding of security vulnerabilities, how
          4   they are found, how to test for them and so on.
          5        Q.     And why is that?
          6               (Brief interruption)
          7        A.     Could you repeat the question?
          8        Q.     I'm going to have to have the
          9   reporter read it back.  I'm sorry for the
         10   interruption.
         11               (Record read)
         12        A.     They want to understand what kinds
         13   of computer crime are likely to be committed.
         14   They want -- they want help in investigating
         15   things that have already occurred, and in
         16   general they -- they want help with the sorts
         17   of forensic analysis which tend to be done in
         18   looking for security flaws.
         19        Q.     Got you.  Good.
         20               Now, the first three things that
         21   you mentioned -- and I think you've presented
         22   five.
         23        A.     Okay.
         24        Q.     Were methodology, training, and
         25   interaction between the interested parties if I

          1                   EDWARD FELTON
          2   can use those words.  Is that --
          3        A.     Okay.
          4        Q.     I --
          5        A.     Sure.  I -- I remember talking
          6   about all of those things.
          7        Q.     Okay.
          8               What's the significance of
          9   training?
         10        A.     So I -- I believe what I was -- I
         11   think what I -- what I was talking about or
         12   what you are referring to is how one goes about
         13   training people to do this kind of study.
         14        Q.     Study being?
         15        A.     Study of -- analysis of -- of
         16   systems looking for vulnerabilities.
         17        Q.     Okay.
         18        A.     How one goes about training
         19   students, for example, to do that or training
         20   oneself for that matter.
         21        Q.     Okay.
         22               How does one go about training?
         23        A.     Partly practice.
         24        Q.     Right.
         25        A.     Partly by studying what other

          1                   EDWARD FELTON
          2   people have done, the experiences other people
          3   have had, how they go about doing it, what
          4   their methods are and what they found.  Partly
          5   it's developing general skill at reverse
          6   engineering, which is something you can
          7   practice, and also study methods, understanding
          8   what tools are available and how they can be
          9   used.
         10        Q.     Now, you mentioned the interactions
         11   that take place between interested parties.
         12   Can you tell me what you mean by that?
         13        A.     Sure.  We talked earlier about
         14   interactions between -- some examples of
         15   interactions between vendors of systems and
         16   people who find flaws in them.  Also,
         17   interactions between -- really all the
         18   interested parties, vendors, system
         19   administrators, members of the public, people
         20   who are doing studies of vulnerabilities, and
         21   sometimes law enforcement.  All of those groups
         22   interact with each other --
         23        Q.     Right.
         24        A.     -- in different ways.  Even
         25   interactions for example, between people who

          1                   EDWARD FELTON
          2   are studying vulnerabilities in the same
          3   system.  Quite a bit of experience in that.
          4        Q.     Okay.
          5               And what do you mean by
          6   "interactions"?
          7        A.     What I mean in that -- in that
          8   instance, between different researchers
          9   studying the same subject --
         10        Q.     Right.
         11        A.     -- how these people find out about
         12   each other, how they communicate their results
         13   to each other, how they build on each other's
         14   work --
         15        Q.     Okay.
         16        A.     -- and -- and so on.  How they
         17   sometimes come into collaboration on projects
         18   and all that.
         19        Q.     And tell me what you know about
         20   that, what you are prepared to testify in this
         21   case in that regard.
         22        A.     Several -- well, several things.
         23        Q.     Okay.
         24        A.     One -- one part -- one thing which
         25   I've experienced is that -- well, this is often

          1                   EDWARD FELTON
          2   a phenomenon in research where you are working
          3   on a problem, working on some topic, and you
          4   don't know anyone else who's working on it and
          5   somehow you hear of someone else who is doing
          6   it.  And in my experience, very frequently
          7   after there's been some public discussion based
          8   on -- my group's work, whether it's in the
          9   press or on our Web site, we get people who
         10   we've never heard of come to us and describe
         11   what they are doing, which is very useful and
         12   relevant to -- helps to inform us about what's
         13   going on and give us useful information.
         14        Q.     And how do they come to you, by
         15   what means?
         16        A.     Usually -- usually they'll call me
         17   or send me an e-mail.
         18        Q.     Okay.
         19        A.     Which, to me, just comes out of the
         20   blue.
         21        Q.     Okay.  Got you.
         22               And is code shared in those e-mails
         23   on occasion?
         24        A.     On occasion, yes.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2               And so as long as people know that
          3   you are working on a particular subject or have
          4   an interest in it by some information that's
          5   put on a public Web site, you can solicit,
          6   comment and further communicate through such
          7   things as phone calls and e-mails, is that
          8   right?
          9        A.     You could always discuss things by
         10   e-mail, but one of the -- one of the challenges
         11   in this situation is that you receive many
         12   comments from people, and it's by the technical
         13   content in those comments and it's by the
         14   sophistication of their reaction to the
         15   technical details that we've published that we
         16   can spot the people who are really the most
         17   interesting ones to -- to talk to.
         18        Q.     Okay.
         19        A.     And so it's really the technical
         20   parts of the discussion that let me recognize
         21   which of the thousand of e-mails I got --
         22        Q.     Right.
         23        A.     -- are likely to lead to a useful
         24   technical discussion.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2               So, in other words, you may get a
          3   thousand e-mails in regard to a particular
          4   topic and you will screen those essentially and
          5   look at the ones that you think have the most
          6   value or the writer of that e-mail might have a
          7   lot to contribute and again get into further
          8   communication with that person, is that --
          9        A.     Well, in general I'll read
         10   everything.
         11        Q.     Sure.
         12        A.     And, you know, some -- some person
         13   may be pointing out an -- an interesting idea I
         14   haven't heard of, has a new way of thinking
         15   about a problem or has interesting feedback on
         16   something that we have done.  That can't happen
         17   unless we're -- we are communicating to the
         18   public in the beginning details about what --
         19   what we found and how --
         20        Q.     I understand.
         21        A.     -- and why.
         22        Q.     And after you've communicated to
         23   the public some details of what you found and
         24   why and you've gotten e-mails from lots of
         25   people, what do you then do in terms of

          1                   EDWARD FELTON
          2   facilitating the interaction or communication
          3   with the people that you're interested in
          4   talking with?
          5        A.     Well, to -- generally I receive a
          6   bunch of e-mails, a bunch of phone calls, and
          7   respond to each one.  Someone sends -- someone
          8   has a particularly thoughtful or interesting
          9   thing to say, I'm likely to, you know, have a
         10   longer return conversation with them.  And over
         11   time you might develop a dialogue or a
         12   collaboration or some sort of relationship with
         13   someone that originated this way.  And a lot of
         14   communications just lead to -- lead to nothing.
         15        Q.     And where you have a continuing
         16   dialogue, how do you conduct that dialogue on a
         17   continuing basis?
         18        A.     Once you already know that you are
         19   working in the same area as someone, then you
         20   can operate by e-mail, for example.  But in the
         21   beginning, in my experience you almost never
         22   know who those people are.  And it's only
         23   through the more general kind of discussion
         24   that -- it's only that that leads people to --
         25   to start the interaction.

          1                   EDWARD FELTON
          2        Q.     Got you.
          3        A.     So it's not the case that there's
          4   some small community of people working on this
          5   problem who I know in advance --
          6        Q.     I understand.
          7        A.     -- who they are.
          8        Q.     I understand.
          9                   MR. GARBUS:  Mr. Hart, do have
         10               any sense of how long you are going
         11               to go?  I want to release my wife
         12               so we can start our weekend if
         13               you're going to go longer.
         14                   MR. HART:  I'm obviously going
         15               longer because I'm not finished
         16               with my questioning.  If you have
         17               to release your wife from whatever
         18               you've done, as a matter of
         19               courtesy, I would suggest that you
         20               release her immediately.
         21                   MR. GARBUS:  As a matter of
         22               courtesy, can you tell me how far
         23               do you -- how long you think you
         24               are going to go?
         25                   MR. HART:  I wouldn't expect to

          1                   EDWARD FELTON
          2               go more than another hour as a
          3               matter of courtesy.
          4                   MR. GARBUS:  Go ahead.
          5               Continue.  I'm just going to make a
          6               call.  I can listen to the
          7               questions as you are doing it.
          8                   MR. HART:  Okay.  I don't know
          9               if I can ask questions while you're
         10               talking on the telephone.  It's not
         11               a question of your permission, sir.
         12               It's a question of your being
         13               distracting.
         14                   THE WITNESS:  Can we just take
         15               a quick break in any case?
         16                   MR. HART:  That's fine.  I
         17               think that's the right thing to do.
         18                   THE VIDEOGRAPHER:  Off the
         19               record, 1:02.
         20                   (Brief recess taken)
         21                   THE VIDEOGRAPHER:  Back on the
         22               record at 1:12.
         23                   MR. HART:  Could you just read
         24               back the last Q and A, please?
         25               We're all -- remind ourselves where

          1                   EDWARD FELTON
          2               we were.
          3               (Record read)
          4        Q.     So just to bring some closure to
          5   that area before we move on, you're saying that
          6   there's value in posting discussion to an open
          7   Web site which, in turn, will generate input
          8   from a variety of people by e-mail and then
          9   further communication -- or a phone, I think you
         10   mentioned.  And then further communications
         11   that are of interest to you would be you
         12   pursued by phone or e-mail, is that a fair
         13   statement?
         14        A.     Yes, it helps -- it helps you to
         15   find -- it helps the people who are engaged in
         16   the study of this area to find each other.  And
         17   I also think it inspires more people to go into
         18   that kind of study.
         19        Q.     Okay.
         20               Okay.
         21               Now, I think we are still in
         22   Subpart 2 of Paragraph 3, right?
         23        A.     Yes.
         24        Q.     Okay.
         25               And we were talking about

          1                   EDWARD FELTON
          2   methodology, purpose and importance of testing
          3   security systems, protecting access and/or use
          4   of various computer and/or Internet-related
          5   systems, right?
          6        A.     Yes.
          7        Q.     And is there anything else beyond
          8   what you've already testified here -- to here
          9   today that you intend to or are prepared to
         10   testify to in this proceeding relative to that
         11   subject, Subpart 2 of Paragraph 3?
         12        A.     There is nothing else that I can
         13   think of.
         14        Q.     Okay.
         15               Subsection 1 of Paragraph 3, the
         16   function, similarity and/or differences between
         17   source code and object code, and we talked a
         18   little about that today, is there anything else
         19   that we can add that would bear on what you are
         20   prepared to or intend to testify to in that
         21   proceeding on that subject?
         22        A.     Well, I think in general I would
         23   expect to testify to what source code and
         24   object code are.
         25        Q.     Right.  What are they?  Sorry.

          1                   EDWARD FELTON
          2        A.     Sorry, is that a joke or a
          3   question?
          4        Q.     It's actually a question that I
          5   said with a smile on my face.  But it is a real
          6   question.
          7        A.     Let me finish the --
          8        Q.     I'm sorry.  Please.
          9        A.     -- my previous answer.
         10               What they are, what they are used
         11   for, what they're good for, and why and how
         12   people use them as a medium of communication.
         13        Q.     Okay.  Go ahead.
         14        A.     So -- sorry, could you --
         15        Q.     Yeah.  All right.
         16               Now, could you tell me, based on
         17   your last answer, what your testimony is or
         18   will be with respect to what they are, what
         19   they're used for, what they are good for and
         20   I'm sorry, I neglected the last one.
         21                   MR. HART:  We can have the
         22               reporter read it back if that's a
         23               help.
         24                   THE WITNESS:  Sure.
         25                   (Record read)

          1                   EDWARD FELTON
          2        A.     Sorry, is there a question?
          3        Q.     Yes.  I'm sorry.  And, again, I'm
          4   really just trying to expedite things.
          5               If you don't mind, I'd like you to
          6   now tell us in your professional opinion what
          7   source and object code are, what they are used
          8   for, and so on based on your last answer.
          9        A.     I'll go down the list.
         10               First what they are.  They are both
         11   different ways of expressing a computer program
         12   which is a list of instructions or a set of
         13   procedures for a computer to carry out or a
         14   process of doing something in series of stages,
         15   essentially what a computer is going to do.
         16        Q.     Right.
         17        A.     There are different -- there are lots
         18   of different ranges or notations for expressing
         19   computer programs, and generally you would
         20   apply the term "source code" to things which are
         21   closer to the level at which humans tend to
         22   analyze the -- and which humans prefer to
         23   analyze the -- the functions of the -- of what
         24   the computer is doing.  And you generally apply
         25   the term "object code" to things that are closer

          1                   EDWARD FELTON
          2   to the form in which the computer actually
          3   executes the software.  In fact, it's really
          4   more of a continuum.
          5        Q.     I understand.
          6        A.     There are often intermediary stages
          7   and so on.
          8        Q.     I often refer to that distinction
          9   as humanly readable versus machine readable
         10   code.  Would you disagree with that as
         11   reflecting the two ends of the spectrum that
         12   you just described?
         13        A.     Well, I think that both of those
         14   descriptions you gave are too extreme in that
         15   both forms are human readable and both forms
         16   are machine readable, and there's value to
         17   having machine and humans read -- be able to
         18   read any of these forms and analyze them.
         19   Certainly we teach students about all these
         20   different forms, how to read them, how to write
         21   them, what they're for, why they're used and so
         22   on.
         23        Q.     But is it fair to say that to the
         24   untutored eye object code is largely
         25   unintelligible?

          1                   EDWARD FELTON
          2                   MR. GARBUS:  I'll object to the
          3               use of the term "untutored eye."
          4                   MR. HART:  Untutored.
          5                   MR. GARBUS:  I said untutored
          6               eye.  It depends on whose eye and
          7               it depends on what "tutored" and
          8               "untutored" means.
          9        Q.     Of course it does.
         10        A.     To the untutored eye it's pretty
         11   much all gibberish.
         12        Q.     Of course.
         13        A.     It typically requires a bit more
         14   training and experience to be able to read
         15   object code effectively.  One often reads or
         16   extracts information from object code with the
         17   help of -- of software tools.
         18        Q.     Called?
         19        A.     There are various different kinds;
         20   debuggers, disassemblers and so on.
         21        Q.     Right.
         22        A.     Those are examples of the sorts of
         23   tools one uses in working with object code.
         24        Q.     Right.  Okay.
         25               What else are you prepared to

          1                   EDWARD FELTON
          2   testify?
          3        A.     That was what they are.
          4        Q.     Correct.
          5        A.     The next category is what they are
          6   used for.
          7        Q.     Okay.
          8        A.     And they are used for several
          9   things.  They are used as a medium of -- that
         10   people can use to express ideas about computer
         11   programs and what they want the computer to do.
         12   I'll leave that aside for now because that's
         13   one of the later topics that I mentioned.
         14   That's Number 4 on the list.
         15        Q.     Okay.
         16        A.     They are also used as computers --
         17   some forms of code can be executed directly or
         18   indirectly by -- directly by a computer.  All
         19   of them can be executed indirectly, at least.
         20   So that's another thing they are used for.
         21        Q.     When you say "indirectly" --
         22        A.     What I mean is, at the extreme end
         23   object code -- you have something -- you might
         24   have something which you can just load into
         25   memory and point the microprocessor at that and

          1                   EDWARD FELTON
          2   it will execute.
          3        Q.     Right.
          4        A.     In other forms you might need help
          5   from something -- a compiler to translate the
          6   code into a different format.  You might use
          7   something called an interpreter which can
          8   execute code that's written in yet another type
          9   of format.  And so when I talk about indirectly
         10   executed something, I mean with the help of
         11   other software.
         12        Q.     Okay.
         13               So as an example, one can take
         14   source code and, with the use of a compiler,
         15   cause that source code to be converted into an
         16   executable piece of code for the machine to
         17   operate on?
         18        A.     That's an example, yes.
         19        Q.     Okay.
         20        A.     So these things are used as ways
         21   for people to communicate with each other, they
         22   are used to have a computer execute them, and
         23   they are also used as a way that -- as a method
         24   for people to describe what they want the
         25   computer to do.  So when you write code you

          1                   EDWARD FELTON
          2   might be communicating partly to the computer,
          3   but you are also communicating to other people
          4   and to yourself.
          5        Q.     When you are communicating to other
          6   people and yourself, are you doing that more on
          7   the source code end of the spectrum rather than
          8   on the object code end of the spectrum?
          9        A.     It depends what those people want,
         10   what they want to learn about the program.
         11   Certain kinds of information are most easily
         12   extracted from source code and other kinds of
         13   information are most easily extracted from
         14   object code.
         15        Q.     Can you tell me what kinds of
         16   information are extracted from which type of
         17   code?
         18        A.     Sure.  Source code is, as I said
         19   before, a little bit easier to read than object
         20   code and so it -- it might contain a
         21   description of what the program does or is
         22   supposed to do at a higher level of
         23   abstraction.
         24        Q.     Okay.
         25        A.     And so if someone wants information

          1                   EDWARD FELTON
          2   that exists or can be expressed at that level,
          3   they might look at the source code.
          4               The object code contains more
          5   information about how the program will execute
          6   a particular machine or on a particular
          7   architecture, about the efficiency of that
          8   execution, about what kind of resources would
          9   be required to execute it.  Information about
         10   bugs or errors in the program might be found in
         11   one or both of the forms.
         12        Q.     Okay.
         13        A.     So to move --
         14        Q.     I just want to try and close that
         15   subpart up --
         16        A.     Okay, sure.
         17        Q.     -- which would be to say that the
         18   value of the object code is in discerning the
         19   efficiency of the program on a number of
         20   different levels including how fast it would
         21   respect or how effectively it would run?
         22                   MR. GARBUS:  I object to you
         23               testifying, Mr. Hart.  Now, your
         24               job here as I understand it is to
         25               ask the witness questions.  And

          1                   EDWARD FELTON
          2               incorrectly stating or qualifying
          3               or narrowing his testimony is
          4               inappropriate.  I object to the
          5               form of the question.  I will allow
          6               the witness to answer.  I've
          7               permitted you to testify on a
          8               number of occasions in the hope of
          9               closing down this deposition.  Go
         10               ahead, Mr. Felten.
         11                   THE WITNESS:  All right.
         12        A.     I think what you said is part of
         13   the picture.
         14        Q.     Okay.
         15        A.     Certain -- certain kinds of
         16   information about efficiency, for example,
         17   about interaction with the detailed features of
         18   a microprocessor or some hardware device might
         19   be in the object code, but not in source code.
         20               Also, there are certain things
         21   about a program which you can only learn or
         22   best learn by actually running the program.
         23   And in order to do that you have the program in
         24   a form such that you can actually run it.
         25        Q.     What things do you learn only when

          1                   EDWARD FELTON
          2   you run the program?
          3        A.     Some -- some things having to do
          4   with efficiency and use of resources by the
          5   program are best learned by running the
          6   program.  There are some forms of testing which
          7   -- there are some situations where you can
          8   learn about the behavior of a program by a
          9   systematic testing method of running the
         10   program in different inputs and so on.  And
         11   that's often more effective than just analyzing
         12   the program and scratching your head.  So
         13   that's -- that's one example.
         14        Q.     Okay.
         15               Do you have anything else to add on
         16   the value of the object code form as
         17   distinguished from the source code form?
         18        A.     I think that's all.
         19        Q.     Okay.
         20               Let's just continue with your
         21   checklist.  You have it in front of you.
         22        A.     What are they good for?  I think
         23   I've -- that largely falls -- that largely is
         24   covered by information in the other categories.
         25   I've talked about testing.  I've talked about

          1                   EDWARD FELTON
          2   learning about the programs.  The next item is
          3   using the code as a medium for communication.
          4        Q.     Okay.  Go ahead.
          5        A.     So let me move on to the -- the
          6   last one, which is why and how software code is
          7   used as a medium of communication.
          8        Q.     Please.
          9               And so -- a medium of communication
         10   in this case between people.
         11               And there are a number of ways in
         12   which that's done.  This -- code is the most
         13   precise method that we have for specifying a
         14   computer program.  If we want to talk about a
         15   program or algorithm.  The most precise way of
         16   doing it is exhibiting code, because that says
         17   exactly what the program does without leaving
         18   out details.  And the code is often in the
         19   details.  So you often need to see code in
         20   order to understand what someone is talking
         21   about.
         22        Q.     Okay.
         23        A.     Code also can serve as an
         24   existential proof of something.  You say I can
         25   do something and someone, if they doubt you,

          1                   EDWARD FELTON
          2   you can show them the code and they can try it
          3   out themselves.
          4               There are -- in addition, in the
          5   process of writing code there are many choices
          6   that the author can make.  Some of them
          7   aesthetic, some of them having to do with how
          8   things are named, how things are arranged, how
          9   the functions of the software are divided up
         10   and organized.  And a lot of ideas about how to
         11   structure or organize software or a particular
         12   program get expressed in the code.
         13               Books that talk about how to write
         14   programs, how to be an effective programmer are
         15   usually filled with examples of code for just
         16   this reason.  If -- computer programming is
         17   about writing code, and in order to be a good
         18   writer even of English, you have to read good
         19   writing and a lot of it, and maybe read some
         20   bad writing, and talk about it and figure out
         21   what's -- what's wrong with it.  So in all of
         22   those ways software code is a way that people
         23   can communicate with each other.
         24               Also, in writing code you're
         25   communicating with yourself because -- I know

          1                   EDWARD FELTON
          2   it sounds funny but --
          3        Q.     I find a lot of things funny.  And
          4   believe me, I'm say -- this is very
          5   well-spirited.  I think you understand that.
          6        A.     Yeah.
          7        Q.     Okay.
          8        A.     I understand that.
          9               You are communicating with yourself
         10   in the sense that you might write a piece of
         11   code and then two months later come back and
         12   need to fix it and you want to be able to read
         13   it and understand what you meant.  And so that
         14   sense, it's also -- there's also a
         15   certain expressiveness in the way you write it
         16   would be -- that would be easy for someone to
         17   understand what it is intended for when you
         18   come back, and that someone else might be you
         19   having forgotten things in the meantime.  Those
         20   are all examples of why and how software serves
         21   as a medium of expression.
         22        Q.     Okay.
         23        A.     I know Professor Appel has written
         24   about and spoken about examples of people using
         25   code as a medium of expression and a way of

          1                   EDWARD FELTON
          2   publishing scientific ideas.
          3        Q.     Right.
          4        A.     Which -- which I won't go into in
          5   detail.
          6        Q.     Okay.
          7        A.     But there are lots of examples of
          8   people doing that and code serving as a medium
          9   of expression and communication between --
         10   between researchers and even from researchers
         11   to the -- to the general programming community.
         12                   THE COURT REPORTER:  I just
         13               need to change my paper real quick.
         14                   MR. HART:  Okay.
         15        Q.     Now, in the examples you just gave
         16   about code as a medium of expression in
         17   communicating ideas, is it typical in your
         18   experience to do so by including the code for
         19   an entire program in unexpurgated form or is it
         20   parsing pieces of a code including annotations
         21   within it or what?  I mean, you have to give me
         22   a better sense of --
         23        A.     Well, it depends.  It depends on
         24   the circumstances, who is trying to communicate
         25   what to whom.

          1                   EDWARD FELTON
          2        Q.     Right.
          3        A.     So I can't give a general answer.
          4   You see all of these in different
          5   circumstances.
          6        Q.     That is an entire program in code
          7   form, that is unexpurgated, unannotated
          8   fashion.
          9        A.     You might see an entire program,
         10   you might see a part of the program, you might
         11   see the program annotated or described and you
         12   might see the program described.  You might see
         13   it in source code or object code or some other
         14   formats.  All of those make sense in different
         15   circumstances.
         16        Q.     In your professional experience and
         17   based on all the testimony you've given here
         18   today in terms of communication, interaction,
         19   security testing, reverse engineering, what
         20   have you --
         21                   MR. GARBUS:  I object to the
         22               form of the question.  It has "what
         23               have you" in it.
         24                   MR. HART:  I'm sure you do.
         25               Thank you, Mr. Garbus.

          1                   EDWARD FELTON
          2        Q.     Of the various manners in which
          3   code could be presented as you just outlined,
          4   how typical is it to have an entire program
          5   presented in unannotated code?
          6                   MR. GARBUS:  I object to the
          7               form of the word "typical."  Go
          8               ahead.
          9                   THE WITNESS:  I -- I think it's
         10               one of the forms that you commonly
         11               see, a whole program not annotated
         12               or poorly annotated.
         13        Q.     I'm sorry, not annotated?
         14        A.     Not annotated or poorly annotated.
         15        Q.     What does "poorly annotated" mean?
         16        A.     Few annotations, maybe inaccurate
         17   annotations.
         18        Q.     And it's poorly annotated for what
         19   reason?
         20        A.     By poorly --
         21        Q.     Why is it poor?  I'm sorry.
         22        A.     Perhaps "poorly" wasn't the best
         23   word for describing what I meant.  What I meant
         24   is -- perhaps what I should have said is not
         25   annotated or minimally annotated.

          1                   EDWARD FELTON
          2        Q.     Okay.
          3               But in your judgment, minimally
          4   annotated would be poorly annotated at some
          5   level.  And what is -- why is it poorly
          6   annotated?
          7        A.     I think I chose the wrong word when
          8   I said poorly.  What I meant to convey is
          9   there's not much annotation there.
         10        Q.     Got it.
         11                   MR. GARBUS:  He wasn't using
         12               poor to mean not having dollars to
         13               it.
         14                   MR. HART:  Of course he wasn't,
         15               Mr. Garbus, and I think we all know
         16               that.  So your comment was really
         17               gratuitous and unnecessary.
         18        Q.     Now, can you tell me, in how many
         19   instances with respect to your Web site or the
         20   Web site that your group uses at Princeton,
         21   that you have posted openly to the public
         22   unexpurgated, unannotated object code
         23   utilities?
         24        A.     I can think of a few, a few
         25   instances.  And here I'm interpreting object

          1                   EDWARD FELTON
          2   code as something that can be executed
          3   directly.
          4        Q.     Right.
          5        A.     Whether through an interp --
          6   executed easily just by sort of double-clicking
          7   it regardless of what form it's in.
          8        Q.     That's the gist of the question.
          9               And what were those instances?
         10        A.     Well, first of all -- actually, let
         11   me clarify something with respect to the
         12   question.  If something is object code or
         13   executable code or something which, as I said,
         14   can just be double-clicked and run, it's not
         15   going to have it in commentary or explanation.
         16   It just will be the code that executes.
         17        Q.     Right.
         18        A.     It says -- it says what it says.
         19        Q.     Right.
         20               In other words, if you put
         21   commentary into what would otherwise be the
         22   presentation of object code, you are making the
         23   code inoperable in a sense as an immediately
         24   executable utility?
         25        A.     It may not be immediately

          1                   EDWARD FELTON
          2   executable if it has -- if it has comments in
          3   it.
          4        Q.     Okay.  Got you.  Go ahead.
          5        A.     It might be accompanied by
          7        Q.     Got you.
          8        A.     Or there might be comments
          9   associated with it somehow.
         10        Q.     Okay.
         11        A.     About how to use it.  There might
         12   be a manual or something.
         13        Q.     Okay.
         14        A.     We've done that in a few instances.
         15        Q.     And you were going to tell me what
         16   those instances were.
         17        A.     Well, I'll give you a couple of
         18   examples.  I'm not sure I can get them all, but
         19   -- we've -- one bit of code that we have made
         20   available -- we -- because of what I'll
         21   characterize as various lawyer-oriented rules
         22   of the university we -- we don't often just
         23   give out code without requiring people to agree
         24   to some very mild license agreement promising
         25   not to sue us if something goes wrong or

          1                   EDWARD FELTON
          2   something.
          3               So if we are going to distribute a
          4   whole program with the expectation that people
          5   will run it, it we will require people to -- to
          6   agree to some -- to something before they take
          7   it.  But with that understanding.  But we do
          8   make it available to anyone who wants it.
          9        Q.     Who signs the license agreement,
         10   the recipient?
         11        A.     The recipient, yes.  And it's
         12   pretty much boilerplate type of thing.
         13        Q.     Is that something that's readily
         14   available on a Web site, the license agreement?
         15        A.     I believe it would be.
         16        Q.     Okay.
         17        A.     I'm not positive that it's
         18   available.
         19                   MR. HART:  I'd like that
         20               produced.  And if you get it to us,
         21               the quicker the better.
         22                   MR. GARBUS:  Okay.
         23                   THE WITNESS:  Right.
         24        Q.     Is there a URL that you can give me
         25   right now where I might --

          1                   EDWARD FELTON
          2        A.     Not off the top of my head, no.
          3        Q.     Okay.
          4        A.     And it's our usual practice to do
          5   that.  I can't say -- to associate that
          6   agreement.  I can't say we've done it every
          7   time.
          8        Q.     And is there anything that is
          9   provided by Princeton University and/or written
         10   by its lawyers as you mentioned a minute ago,
         11   you said it was lawyer-driven, that explains
         12   the policy itself?
         13        A.     The policy of the University --
         14   well, without going into a long exposition on
         15   the University's intellectual property policy,
         16   if we -- the rules roughly say that if we want
         17   to distribute something which might potentially
         18   have commercial value, software, then we need
         19   to get permission from the University to do
         20   that.  And generally that permission is readily
         21   given and they might -- the University might
         22   ask us to put -- to put -- to require a license
         23   agreement that involves, say, a liability
         24   disclaimer or something with the code.
         25        Q.     Okay.  Got you.

          1                   EDWARD FELTON
          2        A.     That's the sort of thing I'm
          3   talking about as the license agreement.
          4        Q.     When you say where software might
          5   have a commercial utility or value, what do you
          6   mean by that?
          7        A.     So what I mean is that the
          8   University -- if we as researchers create
          9   something that has monetary value, the
         10   University would like to -- would like to get
         11   -- get its share.
         12        Q.     Got you.
         13        A.     And so we can't just -- if we have
         14   something of commercial value we can't just
         15   necessarily release it without at least
         16   disclosing to them what it is and so on.  And
         17   there are a bunch of procedures related to
         18   that.  That's pretty standard at universities
         19   and companies for obvious reasons.
         20        Q.     Are there any policies or
         21   procedures or license -- or other kind of
         22   written requirements to your knowledge at
         23   Princeton which address potential liability
         24   arising from code, i.e., it would cause a
         25   disruption of someone's system, virus issues or

          1                   EDWARD FELTON
          2   just the potential that it could be misused in
          3   some way and that somebody could get sued for
          4   that?
          5        A.     My experience has been that if I go
          6   to the university and ask for permission to
          7   distribute some kind of software because it
          8   might potentially have commercial value, then
          9   they will generally, regardless of the nature
         10   of that software, ask me to require people to
         11   sign some sort of license agreement involving a
         12   liability disclaimer regardless of the nature
         13   of the software.
         14        Q.     Whether or not it has commercial
         15   value?
         16        A.     Whether or not they judge it to
         17   have commercial value.  Just the fact that I
         18   have talked to them about releasing it.  They
         19   will generally ask for it.
         20        Q.     Did you ever go to anybody at
         21   Princeton and ask them for permission to
         22   disseminate DeCSS in any form?
         23        A.     No.
         24                   MR. HART:  I'm sorry.  I think
         25               we were talking about those

          1                   EDWARD FELTON
          2               instances where you had posted or
          3               caused to be posted to you or your
          4               group's Web site at Princeton what
          5               I was calling unexpurgated code in
          6               the form of an immediately-executed
          7               utility.  And I think you were
          8               going to give me examples of those
          9               instances where you had done that,
         10               and you started to explain the
         11               license procedure.  Continue to do
         12               that, please.
         13        A.     Sure.  So let me start with one
         14   example.  It was something called the JAVA
         15   filter which was -- which you can think of as
         16   being an add-on browser that provides some
         17   additional security functionality.
         18        Q.     Okay.
         19        A.     It was -- if you installed this
         20   thing on a certain version of a certain browser
         21   it would give you the ability to have more
         22   control over which Java Applets your browser
         23   would execute, and that has security
         24   implications.
         25        Q.     Got you.  Okay.

          1                   EDWARD FELTON
          2        A.     So we had developed that as a
          3   research projet, and we made it available to
          4   the public from our Web site.  That's one
          5   example.
          6        Q.     Okay.
          7        A.     I'm trying to think of some more
          8   examples.  We -- another example -- I -- I'm
          9   not thinking of another example coming out of
         10   our lab --
         11        Q.     Okay.
         12        A.     -- although I'm sure there are some.
         13   But releasing the software in this way is a
         14   routine practice and lots of people in our
         15   department have done it.
         16        Q.     Okay.
         17               To your knowledge, have any
         18   computer crimes been committed affecting
         19   Princeton's computer systems?
         20                   MR. GARBUS:  Object to the form
         21               of the question.  But you can
         22               answer if you know.
         23        A.     Yes.
         24        Q.     Can you tell me just briefly what
         25   you know about that?

          1                   EDWARD FELTON
          2        A.     Well, so with the qualification
          3   that I'm not going to make -- I'm not going to
          4   make expert decisions about what's a crime and
          5   what's not.
          6        Q.     Correct.  Absolutely.  And I don't
          7   want a legal conclusion.
          8        A.     Based on a common sense
          9   understanding, yes, there have been virus --
         10   there have been viruses, there have been
         11   instances of people breaking into various
         12   computer systems.
         13        Q.     Are these students, typically, or
         14   outsiders or both?
         15        A.     I do not know of any instances of
         16   students doing it.
         17        Q.     Okay.  Okay.
         18        A.     I don't know if I would have --
         19        Q.     Yeah, I understand.
         20        A.     -- had that occurred, but I do know
         21   of a number of instances in which people
         22   apparently from the outside broke into
         23   Princeton's system as well as the viruses.
         24        Q.     Do you know if they were prosecuted
         25   or any action was taken against them?

          1                   EDWARD FELTON
          2        A.     I don't know.  I wouldn't know if
          3   they had.  It's not my department --
          4        Q.     Got you.
          5        A.     -- to go after those people.
          6        Q.     Okay.
          7               Were you consulted at all in any
          8   connection in terms of the integrity of the
          9   system or the forensics or any of the other
         10   things you mentioned earlier about law
         11   enforcement issues relative to computers and
         12   computer crime?
         13        A.     With respect to crimes at Princeton
         14   -- yes, actually.
         15        Q.     And in which instances were you
         16   consulted?
         17        A.     I'm thinking in particular of the
         18   Melissa virus.
         19        Q.     Okay.
         20        A.     In that case I was consulted by the
         21   FBI and by the U.S. Attorney's office.
         22        Q.     Okay.
         23               Are you aware of Napster?
         24        A.     Yes.
         25        Q.     How are you aware of it?

          1                   EDWARD FELTON
          2        A.     Articles about it in the press
          3   primarily.  Discussions with people.
          4        Q.     Were those discussions confined to
          5   computer specialists or did they also include
          6   laypeople?
          7        A.     I think I've had discussions with
          8   both, specialists and laypeople.
          9        Q.     Okay.
         10               Are you aware whether Princeton has
         11   encountered any problems as a result of
         12   students using Napster at Princeton?
         13        A.     I don't know.
         14        Q.     You are not aware of any?
         15        A.     I'm not aware of -- of any.
         16        Q.     Okay.
         17        A.     Of any problems.
         18                   MR. HART:  I'm not clear what
         19               we are doing on the record at this
         20               point, because Mr. Garbus' phone
         21               rang while you were answering my
         22               question and he's now stood up and
         23               taken a phone call.  So I'm not
         24               going to ask you any questions
         25               until Mr. Garbus resumes his

          1                   EDWARD FELTON
          2               appearance here.
          3                   Are we back?
          4                   MR. GARBUS:  Yes.
          5                   MR. HART:  Thank you.
          6        Q.     Now, you co-authored a piece with
          7   Professor Appel that was submitted to the
          8   Copyright Office in connection with the
          9   rule-making inquiry, correct?
         10        A.     Yes.
         11        Q.     And who prompted the writing of
         12   that piece?
         13        A.     I think -- the actual writing was a
         14   collaborative effort.  I think I'm the one who
         15   first raised the topic of the Copyright Office
         16   soliciting comments.
         17        Q.     Okay.
         18               And how did you become aware of the
         19   Copyright Office proceeding?
         20        A.     I don't remember.
         21        Q.     Do you think it may have been as a
         22   result of any communications you've had about
         23   this case?
         24        A.     No, not as a result of this case,
         25   because we worked on that document before I had

          1                   EDWARD FELTON
          2   any involvement in this case.
          3        Q.     Okay.
          4               Had you followed the legislative
          5   process with respect to the enactment of the
          6   Digital Millennium Copyright Act?
          7        A.     Yes.
          8        Q.     Did you ever submit any testimony
          9   or views in connection with that legislative
         10   process?
         11        A.     Yes.  I signed a letter to -- I
         12   believe it was to various members of Congress
         13   or -- and/or Senators --
         14        Q.     Right.
         15        A.     -- which was signed by a large
         16   number of computer security experts, I guess.
         17        Q.     Okay.
         18               And what was the gist of that
         19   letter?
         20        A.     It was a concern about the -- about
         21   the effect of the -- of what was then the
         22   current draft of the Digital Millennium
         23   Copyright Act, and the effect of that on the
         24   ability of people like me to do computer
         25   security research and to disseminate the

          1                   EDWARD FELTON
          2   results of that -- of that research.
          3        Q.     And specifically, was it the
          4   circumvention or that type of proposed
          5   circumvention legislation that was part of the
          6   DMCA that was the focus?
          7        A.     The -- the circumvention aspect of
          8   the DMCA was -- was at least one of the main
          9   topics of the letter.
         10        Q.     I'm only saying this, not to
         11   belabor the point, but because the DMCA as you
         12   may know includes a number of different
         13   components, and I'm not interested, unless you
         14   feel you are going to testify or you may
         15   testify, on subjects like ISP liability and
         16   boat hull protection and some of the other
         17   things that were in the DMCA.
         18        A.     No, it was -- it was not about any
         19   of those topics that you mentioned.
         20        Q.     Okay.  Fine.
         21        A.     It was primarily in the area of the
         22   anticircumvention requirements and the things
         23   that are connected to or close to the -- some
         24   of the issues in this case.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2               And I'm sorry, the view again, that
          3   was expressed generally speaking was?
          4        A.     Was -- the view -- generally, the
          5   view of the -- of the letter and the concern
          6   that we were trying to raise was that -- was a
          7   concern that the DMCA would make it either
          8   impossible or more difficult to do computer
          9   security research that involves reverse
         10   engineering and studies of vulnerabilities and
         11   so on, and also about the effect of the DMCA as
         12   it was then on -- on -- dissemination of -- of
         13   research results and interaction among
         14   researchers and between researchers and other
         15   people.
         16        Q.     Got you.
         17               And can you place a rough time
         18   frame on when this letter was submitted?
         19        A.     I'm not sure I can tell you the
         20   time frame.  I can tell you when it was
         21   relative to the passage after the DMCA.
         22        Q.     Okay.
         23        A.     It was -- it was within a few
         24   months before the DMCA passed.
         25        Q.     Okay.

          1                   EDWARD FELTON
          2               And to your knowledge, were there
          3   further bills or proposed bills for the
          4   circumvention aspects of the DMCA that were
          5   under consideration after the date that you
          6   submitted your letter?
          7        A.     You are referring to bills relating
          8   to the DMCA, other -- other bills relating to
          9   the DMCA?
         10        Q.     I'm sorry.  And it may have been my
         11   question.  I apologize.
         12               Without yet drawing any conclusion
         13   as to what effect your letter may have had on
         14   the Congressional legislative process, I'm
         15   simply asking you whether you are aware that
         16   there was further bill writing and bill
         17   proposals with respect to the DMCA and its
         18   circumvention provisions that -- that were done
         19   or made after the date of your letter.
         20        A.     My understanding is that when we
         21   submitted the letter, the process of writing or
         22   editing or whatever the term is, determining
         23   the final form of the DMCA was still going on.
         24        Q.     Okay.
         25               And are you aware whether, in fact,

          1                   EDWARD FELTON
          2   there were any changes made in the bills or the
          3   proposed legislation after the date of your
          4   letter with respect to any of the topics that
          5   you covered in your letter?
          6        A.     After the date of the letter there
          7   was a -- an exclusion for -- a very limited
          8   exclusion for cryptographic research put into
          9   the DMCA which, in my opinion at least, was not
         10   enough to address -- it was better than nothing
         11   but not enough to address -- fully address the
         12   concerns that we raised in the letter.
         13        Q.     And this was for cryptographic
         14   research you said?
         15        A.     It's a -- yes, it's a limited
         16   exclusion for cryptographic research.  Which,
         17   as I said, I think did not go far enough to
         18   protect the issues that we were discussing.
         19        Q.     I understand.
         20               And you say that at the time you
         21   submitted the letter no such exclusion existed
         22   in the legislation you were commenting on at
         23   the time?
         24        A.     It's a little bit hard to tell
         25   because there were various drafts and so on.

          1                   EDWARD FELTON
          2        Q.     Right.
          3        A.     And it's not easy for an average
          4   person to get access to the up-to-the-minute
          5   draft of the bill.
          6        Q.     Got you.
          7        A.     But there were at least some
          8   versions floating around at the time that we
          9   submitted the letter which did not have such an
         10   exclusion.
         11        Q.     Did you weigh in any respect in
         12   your letter on any other kinds of proposed
         13   exclusions or modifications to the bill or
         14   bills in respect to anything relating to
         15   circumvention?
         16        A.     I don't recall whether we
         17   specifically commented on language in a bill.
         18   We raised the issues that I described before in
         19   general.
         20        Q.     Right.  Okay.
         21        A.     And one of the goals of the letter
         22   was to make sure that the people who were
         23   writing the legislation understood what the
         24   values were that we were concerned about.
         25        Q.     I understand.  And I apologize if

          1                   EDWARD FELTON
          2   my last question was unclear.  I wasn't talking
          3   necessarily about commenting on particular
          4   language in the bill.  But you mentioned that
          5   one of the subjects in your letter had been
          6   encryption research and the need to address
          7   that in some way in the proposed legislation,
          8   right?
          9        A.     No, I don't think --
         10        Q.     I'm sorry.
         11        A.     Let me -- let me characterize that
         12   in a different way.
         13        Q.     Okay.  Fine.
         14        A.     There was a concern that particular
         15   -- well, there were many concerns, but the --
         16   one of our desires was to -- in fact, to make
         17   sure that the people working on the bill
         18   understood that -- that computer security
         19   research in general was at risk in the process
         20   of writing the bill.  Not just encryption, but
         21   other forms of -- of security, as well.
         22        Q.     Like security testing, you mean?
         23        A.     Well, there -- there are different
         24   methods -- different kinds of technologies that
         25   people use to try to protect or establish

          1                   EDWARD FELTON
          2   security, and encryption is only one of them.
          3        Q.     Okay.
          4               What are the others?
          5        A.     Access control.
          6        Q.     Right.
          7        A.     Physical security.
          8        Q.     Right.
          9        A.     Various kinds of software methods
         10   for limiting and enforcing restrictions on what
         11   programs can do.  Encryption is only one
         12   subarea of security.
         13        Q.     Okay.
         14        A.     And so we wanted to make sure that
         15   they had understood that this was not just
         16   about encryption, but about security in
         17   general.
         18        Q.     Okay.
         19        A.     That was one of the concerns.
         20        Q.     What I'm trying to do -- and again,
         21   I'll make my agenda here plain -- is to get at
         22   what subjects you covered in the letter and
         23   what Congress ultimately did, whether or not
         24   there was a causal connection between your
         25   letter and what Congress did.  And if we can do

          1                   EDWARD FELTON
          2   that simply by topic -- I mean, you mentioned,
          3   for example, that your letter addressed certain
          4   concerns and that ultimately there was a
          5   provision and exception, I think you may have
          6   used the word, or exclusion, put into the bill,
          7   although I think you said you weren't entirely
          8   happy with its scope respecting encryption
          9   research.  I'm trying to get at what other
         10   topics you addressed respecting circumvention
         11   in your letter and what, to your knowledge,
         12   occurred in respect to the passage of the --

         13   the law on those subjects.  Does that help?
         14        A.     Sure.
         15        Q.     Okay.
         16        A.     So the letter talked in general
         17   about what we were concerned about, it talked
         18   about the value of reverse engineering.
         19        Q.     Okay.
         20        A.     It talked about the value of being
         21   able to do and study circumvention.
         22        Q.     Okay.
         23        A.     It talked about how -- talked about
         24   the difference, I believe, between
         25   circumvention and copyright infringement.

          1                   EDWARD FELTON
          2        Q.     Okay.
          3        A.     And a number of related issues like
          4   that.  I believe there may have been some
          5   concerns in the letter, specifically about
          6   things that were in the current version of the
          7   bill.
          8        Q.     The then current version of the
          9   bill?
         10        A.     The then current version of the
         11   bill.
         12        Q.     Right.
         13               And to your knowledge, were there
         14   any additional exclusions put into the
         15   legislation as it was finally enacted after
         16   your letter, whether or not you can say it was
         17   as a result of your letter?
         18        A.     I don't recall there being any
         19   other, I guess what I'd call helpful changes to
         20   the bill after the letter.
         21        Q.     Okay.
         22               Do you recall if there is an
         23   exclusion for reverse engineering in the
         24   legislate as enacted?
         25        A.     There -- I know that there are some

          1                   EDWARD FELTON
          2   -- I know that there's some language in the
          3   bill that protects reverse engineering for
          4   certain purposes.
          5        Q.     Okay.
          6        A.     But I can't tell you specifically
          7   what those are.
          8        Q.     Okay.  That's fine.
          9               Under whose auspices was this
         10   letter submitted?  Was it on behalf of a
         11   particular society or a group of societies?
         12        A.     It was signed by a group of
         13   individuals.
         14        Q.     Okay.
         15        A.     It was a fairly large group.  It
         16   may have been 50 or more.  Some from
         17   universities, some from societies, some from
         18   companies and perhaps some from government,
         19   although I'm not -- I'm not sure about that.
         20        Q.     Okay.
         21        A.     In most cases speaking as
         22   individuals.
         23        Q.     Okay.
         24        A.     But many of the leading experts in
         25   security research signed the letter.  The goal

          1                   EDWARD FELTON
          2   was to sort of give the -- give the people
          3   working on the bill something which represented
          4   the opinion of -- the sort of majority opinion
          5   of experienced security researchers.
          6        Q.     Okay.
          7               Now, with respect to the article
          8   that you and Professor Appel wrote that got
          9   submitted to the Copyright Office or the
         10   Library of Congress in connection with the
         11   Copyright Office rule-making proceeding, what
         12   was your purpose in submitting that?
         13        A.     Well, there's a point of view
         14   expressed in the -- in the -- in our
         15   submission, and we wanted to make sure that
         16   they -- they heard that point of view, that --
         17   that people understood that -- that
         18   technological access control which prevents
         19   researchers from getting at the raw bits of
         20   digital works does prevent certain kinds of
         21   valuable research on those works, valuable and,
         22   as far as we -- as far as we know, legal
         23   research on those works.
         24        Q.     Okay.
         25               And --

          1                   EDWARD FELTON
          2        A.     And specifically -- if I could go
          3   on with that answer.
          4        Q.     You bet.  Sure.  Sure.
          5        A.     The solicitation for comments that
          6   -- that was put out specifically asked for
          7   information about the effect of the
          8   anticircumvention provisions on research and
          9   scholarship.  And so we wanted to speak to that
         10   part of the solicitation.
         11        Q.     Okay.
         12               So, in other words, the Library of
         13   Congress had solicited comments as part of an
         14   ongoing legislative process to your
         15   understanding?
         16        A.     My understanding is when the DMCA
         17   was passed that the Library of Congress was
         18   directed or authorized to do -- to make
         19   findings at some point later in time, and that
         20   this was the process of their -- of their
         21   deciding what findings to make.
         22        Q.     Okay.
         23               And that's the general purpose for
         24   which you and Professor Appel submitted your
         25   piece, namely in furtherance of the taking of

          1                   EDWARD FELTON
          2   comments by the Library of Congress as part of
          3   the legislative process?
          4        A.     That's why we submitted it to the
          5   Library of Congress, yes.
          6        Q.     Got you.
          7                   MR. HART:  I would like to have
          8               a copy of that letter if I didn't
          9               already ask for it, and I -- I
         10               really want to thank you for your
         11               time and your candor.  Thank you.
         12                   MR. GARBUS:  Thank you very
         13               much.
         14                   MR. HART:  You are quite
         15               welcome.
         16                   MR. GARBUS:  We are done.
         17                   THE VIDEOGRAPHER:  Off the
         18               record, 2:02.
         19                   (Time noted:  2:02 p.m.)
         20                   ______________________________
                                    EDWARD FELTEN
         22   Subscribed and sworn to before me on
         23   this_____day of____________________, 2000.
         25            Notary Public

          2       STATE OF NEW YORK      )
                                         )  ss:
          3       COUNTY OF NEW YORK     )
          4             I wish to make the following changes, for
          5       the following reasons:
          7       PAGE  LINE
          8       ____  ____  CHANGE:  __________________________
          9                   REASON:  __________________________
         10       ____  ____  CHANGE:  __________________________
         11                   REASON:  __________________________
         12       ____  ____  CHANGE:  __________________________
         13                   REASON:  __________________________
         14       ____  ____  CHANGE:  __________________________
         15                   REASON:  __________________________
         16       ____  ____  CHANGE:  __________________________
         17                   REASON:  __________________________
         18       ____  ____  CHANGE:  __________________________
         19                   REASON:  __________________________
         20       ____  ____  CHANGE:  __________________________
         21                   REASON:  __________________________
         22       ____  ____  CHANGE:  __________________________
         23                   REASON:  __________________________
                 ___________________________         ____________ 
         25         WITNESS' SIGNATURE                DATE

          2                    CERTIFICATION
          4                   I, MICHELE ANZIVINO, a Notary
          5   Public in and for the State of New York, do
          6   hereby certify;
          7                   THAT the witness whose
          8   testimony is hereinbefore set forth, was duly
          9   sworn by me; and
         10                   THAT the within transcript is a
         11   true record of the testimony given by said
         12   witness.
         13                   I further certify that I am not
         14   related, either by blood or marriage, to any of
         15   the parties to this action; and
         16                   THAT I am in no way interested
         17   in the outcome of this matter.
         18                   IN WITNESS WHEREOF I have
         19   hereunto set my hand this 7th day of July,
         20   2000.
         22                      ____________________________
                                       MICHELE ANZIVINO