Elsewhere on this site, I've mentioned receiving the wonderful honor of being the first chair of an exciting new committee of the American Bar Association, the national association of lawyers in the US. The committtee will address the legal issues of “Artificial Intelligence and Robotics.” We're going to have a listserv, some form of online publications, and plan to co-host webinars, teleconferences, and possibly a conference.

New in the fall of 2007, the Artificial Intelligence and Robotics Committee will address all aspects of law and devices that replicate or appear to replicate human mental or physical activity – learning, reasoning, communicating, manipulating objects, etc. The Committee’s activities will be divided into two broad topic categories:

1) Law about AI and Robotics – will track changes in statute, regulation, and case law about, or which specifically affect parties engaged in, artificial intelligence and robotics.

For example, one case has addressed whether a person offering a particular piece of software was offering an AI tool or practicing law without a license. We expect there will be cases about who owns the results of machine learning – the maker or the buyer – in both cases of advancement and liability. Similar questions will be asked about robotic prostheses which combine robotics and wearer impulses. As AI and robotics becomes more prevalent, we expect law-making bodies to seek to regulate these activities – or their results. Just as “corporate law” is a lens on the combination of contracts, torts, employment, and other topics in law, “AI & Robotics” will necessarily draw from intellectual property, privacy, contracts, liability, etc.

2) Use of AI and Robotics in legal activities – will address advances such as automated contract drafting and interpretation, compliance monitoring, and even law enforcement.

Although the use of robots in government may sound far-fetched to the general public, there are many efforts taking place in this arena. Just this week, the IEEE Robotics and Automation Society in Boston is describing and demonstrating new robotics for inspecting marine structures. And, the same folks who make home vacuum cleaner robots are making bomb detection robots for the federal government.

As technology advances, the Committee will address the challenges posed by ever smarter and more-dexterous machines that can out-perform humans, or make decisions on behalf of humans. We expect that the committee will touch on areas related to privacy, medical treatment and healthcare, product liability, and perhaps more fleetingly, the question of ‘humanness’ in a

This Committee will provide assistance to those advising technology companies, incorporating new technologies into their practice, lawyers in technology roles, technologists building legal tools, cross-disciplinary professors, and those who just want to be ahead of the curve.

The homepage for the Committee is at:

http://www.abanet.org/dch/committee.cfm?com=ST248008&edit=1&CFID=70893211&CFTOKEN=909f3fff9d5522e2-8758D883-C2B1-9621-7E534952BC914531&jsessionid=1a30274d649d1630413dTR

You can subscribe to the listserv there (look for the small LISTSERV Lists box on the right side of the page below the Leadership box).

If you work in the world of technology, you've certainly heard of Second Life, the 3D virtual world that started as a social game site. With more than 40 million registered users, over a million claimed active users, and the generation of revenue in not-so-virtual millions, it's a long way from the 1970's Troll Room of Zork. But, did you know that this technology is now creeping back to the corporate world?

Recently, I've been working on a project that required me to give myself a crash course in online collaboration spaces. Sure, I've known Groove, GoToMeeting, and WebEx. This, though, is the beginning of a new world in which telecommuting and outsourcing become increasingly irrelevant issues as people have the ability to work in persistent, fully functional, 3D, web offices.

Imagine "going" to work by logging on to the web and having your 3D avatar with your face walk into your "office." Your office can have your whiteboard as you left it and one or more iterations of your desktop applications. Then, walk into the "coffee room" where you run into co-workers who are physically in Mumbai or London. You can communicate through text chat, emoticons, and the physical gestures of your avatars; or, you can be yourself through microphone and webcam if you prefer. Some technology so replicates the real world that voices will increase and recede in volume as you move towards and away from other avatars.

You can hold meetings anytime with those remote co-workers in "rooms" which allow you to project on the wall any desktop application or live web browser, or share a whiteboard or document. You can leave the room and come back to everything in place ("persistent state") if that's your preference. Assuming the "door" is not locked, you can also "walk" into co-workers offices to visit or ask questions, again sharing computer and web screens.

Not so long ago, talking to people from the other side of the world was clunky and slow.  Just as international telephone calls have become fast, clear, and reliable, so too here in the virtual world; the delays ("latency") are minimal. 

In this configuration, the collaboration platforms are relatively new.  As the offerings expand and mature, customization will be easier and prices will be quite reasonable.  It won't be long (two years?) before this technology takes off and is considered an everyday choice for those managing dispersed workers.

Today, I'm joining 97 million other bloggers and making my pages searchable by Technorati.  Stay tuned for updates on whether/how it changes this site and the traffic coming to it.


Technorati Profile

I've always loved the Guys and Dolls song in which a bunch of guys sing a catchy round about picking their favorite nag at the track. They're telling each other why they've made their pick. It goes like this:

"I got the horse right here
The name is Paul Revere
And here's a guy that says that the weather's clear
Can do, can do, this guy says the horse can do"
...
"I'm pickin' Valentine, 'cause on the morning line
A guy has got him figured at five to nine
...
I know it's Valentine, the morning work looks fine
Besides the jockey's brother's a friend of mine "
...
"And just a minute, boys.
I've got the feed box noise
It says the great-grandfather was Equipoise "

What does this have to do with computers? It provides an easy to understand example of how we make decisions. The gamblers are describing where they got their information and what categories of information matter to them. They rely on a favorite racing form, friends of friends, and gossip from the staff. In the brave new world of dynamic access control, we want to do the same thing to reach an automated decision about what data you can see. Instead of racing forms, we have "trusted sources" or "authoritative data" -- repositories we believe have reliable information. And, instead of the weather, lineage, and distance, we're looking for other categories of facts that consistently help us to reach our decisions.

I've recently done a project in which we attempted to define how many things you really need to know about a system user to decide whether or not s/he can have access to particular government work-related information. The idea was to see if there was an universal core of attributes that most system access rules are seeking. In other words, does the decision about what you can see in the human resources system rely on the most of the same categories of information about you as the decision about what you can see in a criminal case file or a person's tax filing. Our answer is "yes," if you create the right sort of categories. And, much to our surprise, our core list is only thirteen attributes.

What's the right sort of category? Other proposals have made each fact its own category. For example, imagine an attribute which indicates whether someone is a law enforcement officer and a different one for whether someone is a lawyer. Organized that way, you would need thousands (millions?) of attribute categories. But, if you say the attribute is "job description" then you can include officer, attorney, and a million other jobs in one attribute category.

Having a small number of needed attribute categories has a tremendous advantage. It means the software can be less complex, handling a smaller number of variables. It means the processing time should be faster. In this design, each system needs to know only the values it cares about. For example, if the access rules for a system only permit government auditors and law enforcement officers to view the data, the particular system doesn't need to know that a person can be a doctor or a dog catcher. It only looks to see if the person seeking access matches (or has an equivalent to) "government auditor" or "law enforcement officer" in his "job description" attribute.

We think the 13 user attributes are:

Employer Name
Employer Subgroup (as many hierarchical levels as needed)
Employer Type (e.g., federal government, private hospital)
Employment Type (e.g., permanent, temporary assignment, contractor)
Job Designation
Location (physical and virtual)
Location Type (permanent, temporary)
Special authorities/licenses (granted by others)
Management Level
Direct Reports
Rating/Reviewing Official
Skill (ability, irrespective of outside grants)
Skill Level

So far, we haven't come across a data access rule we couldn't parse into one of these attributes. If you do, please tell me.

Last week, the New York Times carried a small Reuters piece explaining that the Chinese government is considering having people combine their mother's and father's family names in order to dramatically expand the number of surnames in China.  With only 100 surnames currently in use, the police and other government officials are presumed to have significant difficulties distinguishing individuals.  The new combinations would create an estimated 1.3 million new surnames.

In the long run, such a change may aid authorities in distinguishing one person from another.  In the short run, though, it may create an unintended problem.  The designers of software for business and security are constantly creating system rules to reduce errors  As business has gone global, tremendous effort has been put into dealing with the variations of names from so many cultures and countries.  For  example, are there programs that have rules to "disambiguate" -- to properly match records from two people with the same name to the right person.  And, there are programs to identify "dirty" data and "cleanse" it -- to recognize common spelling, typing, or transliteration errors and change them.  The big question, then, is how many of those programs would fail to run or would run but reach the wrong results with the addition of a million new names.  Are there programs currently in use that would kick out as "dirty data" those records for Chinese citizens with surnames other that those on the list of 100? 

Truth is stranger than fiction.  For several months, the TAMI team has been building a hypothetical scenario involving a patient with Extra Drug Resistant Tuberculosis (XDR/TB) and a need for the CDC to use data mining to find the people to whom he might have spread the disease.  Just a few weeks ago, we expanded the hypothetical scenario to include a branch in which the patient was the subject of a court hearing over whether he had to be involuntarily confined to a hospital (quarantined).  Then, today, the news was filled with the real-world case of a man with XDR/TB who traveled  half-way round the world on commercial flights, his quarantine by the US government, and the CDC investigation  seeking to use airline data records to identify potential contacts. 

Traditionally, if someone wanted to restrict access to a computer system,  the first line of defense was a list of authorized users...a list of people, by name.  These systems generally relied on one central administrator to keep track and keep up.  Not surprisingly, in any system with more than a few users, it was hard to keep up with who should and who shouldn't have access.  System administrators had to rely on others to keep them informed when people quit a job or left a group.  There have certainly been occasions when fired employees continue to have access to the systems of their former employers for at least some time.  At the personal or small group level, the name registry sort of security has just been too hard for most and we end up either posting things to the entire internet (like this blog), or not posting things that we might worry about people using inappropriately (like pictures of small kids).   Today, many of us are tackling ways to grant and deny access to information without making and maintaining lists of authorized persons. 

One method is to allow access based upon "attributes."  Instead of trying to identify people by name, we say what kind of people we want to let in.  We might focus on what sort of job they have (anyone in sales can have access) or what their relationship is to us (anyone who is a member of this museum, but not anyone who is an affiliate of a member).  In more complex systems, we can allow for multiple attributes (employees, in the sales department, who work in the western region).  In order for this to be successful, we still must have access to information about the people who will seek access (the employee roster, the membership list).  This model allows for limited decentralization; we can get the attributes from a number of systems that centralize each attribute. In an environment like the government, this could be successful, because the government can mandate a relatively high level of structure and consistency.

Another method is to give people "permissions."  In the physical world, when we want to give someone access to our home or office, we give them a key.  If we trust them, we may give them a key that they can copy (my housekeeper had the set she carried plus the set she made as a back-up at home; my mother-in-law makes a copy for my brother-in-law); if we trust them less, or have more to secure, we give them a key that cannot be copied without special permission or special equipment.  In the virtual world, we can give someone a bit of code that works much the same way.  With software, though, we can create more permutations of the key.  It might only work during certain hours, only work for a certain number of times, or only be shareable with people with a particular type of userID, say a company webname.  This is a distributed trust model; it lets us trust people who have access to our information to make decisions about whether other people should have access. 

Both of these models assume that each system has its own structure and that information presented must be structured in a manner expected by a system.   On the web, we can expand capability even more.  Imagine carrying "keys" that describe all the different aspects of who you are and the verifications of those facts by others.  For example, you have a "key" that says "I'm the den mother of the Girl Scout troop #4566" and a verification from the regional Scouting office.  When you approach a Girl Scout website with that key, the site can calculate and give you appropriate access, say to the phone numbers of the parents of your troop, but not the parents of the troop in the next town. 

Using semantic web technologies, there is work underway to go one step better.  In the prior example, the Girl Scout website could anticipate that you would be coming.  What about the larger world, where you want to go new places, where the people don't know you at all? Say as den mother, you want to get the phone numbers of the troop leaders for other children's groups in the region: Boy Scouts, Campfire Girls, etc.  Or, your girls are doing a project on Korea and you want to get email addresses for girls in a troop there, so that your girls can write and ask them questions.  You could approach these different sites and each would look at your Den Mother key and decide if, according to their own rules, you can have the information you're seeking.  The benefit of the semantic web technologies is that it lets you present your credentials to systems that didn't know or expect you.  This works by including some information with your keys that explains how your keys are structured, how to read and understand them.  The tremendous advantage to this is that everyone doesn't have to use the same software or the same structure.  It can be adopted and used more readily because it doesn't require everyone with a system or everyone with keys to agree in advance how they will be built.  To be fair, it does require some minimal adherence to common principles much the way the internet works today.

One other exciting benefit of these movements in technology is the potential to improve privacy protection.  You could subdivide your virtual keyring.  So, personal facts (I'm Susie's brother; I'm Frank's friend) would not be revealed to a site for which you were seeking job-related access.  Nor would professional facts be shared with friends, volunteer associates, or commercial vendors.  This will be a significant improvement over the cookies that are passed to websites, because most people don't understand what information their computer is giving out or know how to find out.

I've now read the third article about this company. Looks like they're going to be hot! These folks have figured out how to recharge all your little handheld electronics without a power cord. You'll just plug their transmitter into an outlet and put your stuff down within three feet. It uses "RF harvesting" and should work on small rechargeables plus things that run on AA and AAA batteries. Only catch is there's still no word about when it will be available for purchase. www.powercastco.com

Some interesting options to investigate if you’re trying to make your computer, or your data, more secure and don’t want to remember passwords: Kanguru Bio Drive This is a USB memory stick that uses your fingerprint to encrypt/decrypt the data. c/net reports that it’s an improvement over some other efforts because removing the drive automatically encrypts the data when you pull the drive out of the pc And, gadgetnutz reported that he couldn’t hack it with a copy of a fingerprint. http://www.kanguru.com/biodrive.html http://reviews.cnet.com/Kanguru_Bio_Drive_1GB/4505-3240_7-31385102-2.html?tag=sub http://www.gadgetnutz.com/modules/news/article.php?storyid=2 A bug or a feature? The drive is fatter than a USB port, so it may block an adjacent USB port. I was hoping that it would read your thumb as you plug it in, but the technology requires you to “swipe” your finger across the reader; I admit, though, that this may be a feature not a bug, since it may help foil those wielding fake fingerprints. While it’s reported to work quite well, it has enough misreads that it prudently gives you the opportunity to set a “back-up” password. IDesia A new entrant in the biometrics market, this Israeli company uses people’s unique electrical output for biometric access control. A person needs to hold a small device with both hands (or at least press a finger from each hand), presumably to create a competed circuit. The company says access will be granted in 2 to 4 seconds. http://www.idesia-biometrics.com/ A bug or a feature? Users may balk at needing to use both hands every time they come back to the computer. Based upon a test and statistical extrapolations, the company reports a high degree of confidence that the system will correctly reject non-matching biometrics. It cannot predict perfectly correct matching results with the same degree of confidence. During a test of 106 subjects (mixed gender and age), all 106 were registered to the system, but 4 could not subsequently obtain access. http://www.idesia-biometrics.com/technology/statistical_report_11.04.pdf

I finished my thesis on May 15, 2006.  Here's the abstract: 

"I propose the creation of a real-time compliance “bot” – software to momentarily pause
each employee’s email at the moment of sending and to electronically assess whether that
email is likely to create liability or unanticipated expense for the corporation. My thesis
describes the confluence of historical events making such a product necessary and
desirable – increase in corporate regulation, explosive growth of email, acceptance of
email as evidence in litigation. The cautionary tale of Enron provides the backdrop for the
thesis. The government released hundreds of thousands of Enron management emails and
they have become research fodder for those interested in “Knowledge Discovery,” a
computer science discipline that gleans meaningful information from data otherwise
indecipherable due to its sheer size. CEO’s and other C-level corporate managers are my
intended audience, so I have attempted to counter the weightiness of the technical topics by
focusing on the search for readily understandable management headaches such as the loss
of productivity due to high participation in the fantasy football pool or the potential for
dirty jokes to become evidence in an employment law claim."

If you would like a copy of my thesis (described below) please send me an email at

kkw_at_mit_dot_edu