COMMUNICATIONS

ACM
CACM.ACM.ORG OF THE 03/2019 VOL.62 NO.03

The Seven Tools

of Causal Inference
with Reflections on
Machine Learning

Owning Computing’s
Environmental Impact
Beyond Worst-Case Analysis
Building a Better Battery Association for
Computing Machinery
 M
&C
In-depth.
Innovative.
Insightful.
Inspired by the need for high-quality
computer science publishing at the
graduate, faculty, and professional
levels, ACM Books are affordable,
current, and comprehensive in scope.

Full Collection I Title List

Now Available
For more information, please visit
http://books.acm.org

M
&C
Association for Computing Machinery
2 Penn Plaza, Suite 701, New York, NY 10121-0701, USA
Phone: +1-212-626-0658 Email: [email protected]
Communications of the ACM
Europe Region
Special Section
A collection of articles spotlighting many of the leading-edge
industry, academic, and government initiatives under way
throughout Europe is coming to Communications this spring.
Articles will be authored by many of the region’s leading computing
professionals, highlighting exciting advances in technologies,
diversity, and educational directives.

Among the topics to be explored:

 Web Science: Constructive, Analytics, Truly Social
 The European Perspective on Responsible Computing
 Informatics for All—A European Initiative
 Connected Things Connecting Europe
 Women in STEM in Europe
 EuroHPC

Plus the latest news about

Europe’s ICT agenda,
well-connected consumers,
the HiPEAC network,
enterprises that lead
ICT innovation, and
much more.
COMMUNICATIONS OF THE ACM

Departments News Viewpoints

5 Editor’s Letter 20 Legally Speaking

Owning Computing’s Questioning a New Intellectual
Environmental Impact Property Right for Press Publishers
By Andrew A. Chien Considering the implications
of the “link tax” provision
6 Cerf’s Up of the proposed EU Directive for
Ownership vs. Stewardship the Digital Single Market for
By Vinton G. Cerf traditional press publishers.
By Pamela Samuelson
7 Vardi’s Insights
Lost in Math? 24 Economic and Business Dimensions
By Moshe Y. Vardi Potential ‘Dark Sides’ of Leisure
Technology Use in Youth
8 BLOG@CACM Time for balanced reflections
14
Smoothing the Path to Computing; on technology.
Pondering Uses for Big Data By Ofir Turel
Members of the Computing Research 11 Building a Better Battery
Association suggest ways to broaden How researchers are improving 28 The Profession of IT
participation in computer science, energy storage devices for An Interview with
while Saurabh Bagchi looks at use power generated from renewable William Hugh Murray
cases for big data. sources like solar and wind. A discussion of the rapidly evolving
By Logan Kugler realm of practical cyber security.
23 Calendar By Peter J. Denning
14 Exoskeletons Today
116 Careers Wearable mobile machines integrate 31 Education
people and machines to assist It’s About Power
the movement-impaired, and A call to rethink ethics and equity
Last Byte amplify the capabilities in computing education.
of industrial and defense workers By Sepehr Vakil and Jennifer Higgs
120 Q&A while protecting them from injury.
Guiding Computers, By Esther Shein 34 Viewpoint
Robots to See and Think From Computational Thinking
Fei-Fei Li, co-director of Stanford 17 Electronics Need Rare Earths to Computational Action
University’s Human-Centered Demand is expected to spike over Envisioning computing education
AI Institute, wants to create the next few years, leading to higher that both teaches and empowers.
algorithms that can learn the way prices and international trade issues. By Mike Tissenbaum, Josh Sheldon,
human babies do. By Keith Kirkpatrick and Hal Abelson
By Leah Hoffmann
IMAGE COURTESY OF EKSO BIONICS A ND FORD

Association for Computing Machinery

Advancing Computing as a Science & Profession

2 COMMUNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 03/2019 VOL. 62 NO. 03

Practice Contributed Articles Review Articles

78 The Compositional Architecture

of the Internet
A new model for describing
the Internet reflects today’s reality
and the future’s needs.
By Pamela Zave and Jennifer Rexford

88 Beyond Worst-Case Analysis

The need for deeply understanding
when algorithms work (or not)
has never been greater.
By Tim Roughgarden

38 68 Watch the author discuss

this work in the exclusive
Communications video.
https://cacm.acm.org/
38 A Hitchhiker’s Guide to 54 The Seven Tools of Causal Inference, videos/beyond-worst-case-
the Blockchain Universe with Reflections on Machine Learning analysis

Blockchain remains a mystery, The kind of causal inference seen

despite its growing acceptance. in natural human thought can be Research Highlights
By Jim Waldo “algorithmitized” to help produce
human-level machine intelligence. 98 Technical Perspective
43 Design Patterns for Managing Up By Judea Pearl Borrowing Big Code to Automate
Four challenging work situations Programming Activities
and how to handle them. By Martin C. Rinard
Watch the author discuss
By Kate Matsudaira this work in the exclusive
Communications video. 99 Predicting Program Properties
https://cacm.acm.org/
46 Understanding Database videos/the-seven-tools-of- from ‘Big Code’
Reconstruction Attacks on causal-inference By Veselin Raychev, Martin Vechev,
Public Data and Andreas Krause
These attacks on statistical databases 61 Metamorphic Testing
are no longer a theoretical danger. of Driverless Cars 108 Technical Perspective
By Simson Garfinkel, John M. Abowd, Metamorphic testing can test Isolating a Matching When
and Christian Martindale untestable software, detecting fatal Your Coins Go Missing
errors in autonomous vehicles’ By Nisheeth K. Vishnoi
Articles’ development led by onboard computer systems.
queue.acm.org
By Zhi Quan Zhou and Liqun Sun 109 A Deterministic Parallel Algorithm
for Bipartite Perfect Matching
68 Blogging Birds: Telling Informative By Stephen Fenner, Rohit Gurjar,
Stories About the Lives of Birds and Thomas Thierauf
from Telemetric Data
IMAGES BY AND RIJ BORYS ASSOCIAT ES/SH UT T ERSTOCK

The system transforms raw

About the Cover: telemetric data into engaging
Turing Award recipient and informative blog texts readily
Judea Pearl argues (p. 54)
that causal reasoning, understood by all.
an indispensible building By Advaith Siddharthan,
block of human thought,
must be incorporated into Kapila Ponnamperuma, Chris Mellish,
machine learning.
He offers several
Chen Zeng, Daniel Heptinstall,
innovative tools that Annie Robinson, Stuart Benn,
may help ML realize
causal inference. Cover
and René van der Wal
illustration by Vault49.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF THE ACM 3

 COMMUNICATIONS OF THE ACM
Trusted insights for computing’s leading professionals.

Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields.
Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional.
Communications brings its readership in-depth coverage of emerging areas of computer science, new trends in information technology,
and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications,
public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM
enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts,
sciences, and applications of information technology.

ACM, the world’s largest educational STA F F EDITORIAL BOARD ACM Copyright Notice
and scientific computing society, delivers DIRECTOR OF PU BL ICATIONS E DITOR- IN- C HIE F Copyright © 2019 by Association for
resources that advance computing as a Scott E. Delman Andrew A. Chien Computing Machinery, Inc. (ACM).
science and profession. ACM provides the [email protected] [email protected] Permission to make digital or hard copies
computing field’s premier Digital Library Deputy to the Editor-in-Chief of part or all of this work for personal
and serves its members and the computing Executive Editor Lihan Chen or classroom use is granted without
profession with leading-edge publications, Diane Crawford [email protected] fee provided that copies are not made
conferences, and career resources. Managing Editor S E NIOR E DITOR or distributed for profit or commercial
Thomas E. Lambert Moshe Y. Vardi advantage and that copies bear this
Executive Director and CEO Senior Editor notice and full citation on the first
Vicki L. Hanson Andrew Rosenbloom NE W S page. Copyright for components of this
Deputy Executive Director and COO Senior Editor/News Co-Chairs work owned by others than ACM must
Patricia Ryan Lawrence M. Fisher Marc Snir and Alain Chesnais be honored. Abstracting with credit is
Director, Office of Information Systems Web Editor Board Members permitted. To copy otherwise, to republish,
Wayne Graves David Roman Monica Divitini; Mei Kobayashi; to post on servers, or to redistribute to
Director, Office of Financial Services Editorial Assistant Rajeev Rastogi; François Sillion lists, requires prior specific permission
Darren Ramdin Danbi Yu and/or fee. Request permission to publish
Director, Office of SIG Services VIE W P OINTS from [email protected] or fax
Donna Cappo Art Director Co-Chairs (212) 869-0481.
Director, Office of Publications Andrij Borys Tim Finin; Susanne E. Hambrusch;
Scott E. Delman Associate Art Director John Leslie King; Paul Rosenbloom For other copying of articles that carry a
Margaret Gray Board Members code at the bottom of the first or last page
Assistant Art Director Michael L. Best; Judith Bishop; or screen display, copying is permitted
ACM CO U N C I L
Mia Angelica Balaquiot James Grimmelmann; Mark Guzdial; provided that the per-copy fee indicated
President
Production Manager Haym B. Hirsch; Richard Ladner; in the code is paid through the Copyright
Cherri M. Pancake
Bernadette Shade Carl Landwehr; Beng Chin Ooi; Clearance Center; www.copyright.com.
Vice-President
Intellectual Property Rights Coordinator Francesca Rossi; Len Shustek; Loren Terveen;
Elizabeth Churchill
Barbara Ryan Marshall Van Alstyne; Jeannette Wing; Subscriptions
Secretary/Treasurer
Advertising Sales Account Manager Susan J. Winter An annual subscription cost is included
Yannis Ioannidis
Ilia Rodriguez in ACM member dues of $99 ($40 of
Past President
Alexander L. Wolf which is allocated to a subscription to
Columnists P R AC TIC E
Chair, SGB Board Communications); for students, cost
David Anderson; Michael Cusumano; Co-Chairs is included in $42 dues ($20 of which
Jeff Jortner
Peter J. Denning; Mark Guzdial; Stephen Bourne and Theo Schlossnagle is allocated to a Communications
Co-Chairs, Publications Board
Thomas Haigh; Leah Hoffmann; Mari Sako; Board Members subscription). A nonmember annual
Jack Davidson and Joseph Konstan
Pamela Samuelson; Marshall Van Alstyne Eric Allman; Samy Bahra; Peter Bailis; subscription is $269.
Members-at-Large
Betsy Beyer; Terry Coatta; Stuart Feldman;
Gabriele Anderst-Kotis; Susan Dumais;
C O N TAC T P O IN TS Nicole Forsgren; Camille Fournier; ACM Media Advertising Policy
Renée McCauley; Claudia Bauzer Mederios;
Copyright permission Jessie Frazelle; Benjamin Fried; Tom Killalea; Communications of the ACM and other
Elizabeth D. Mynatt; Pamela Samuelson;
[email protected] Tom Limoncelli; Kate Matsudaira; ACM Media publications accept advertising
Theo Schlossnagle; Eugene H. Spafford
Calendar items Marshall Kirk McKusick; Erik Meijer; in both print and electronic formats. All
SGB Council Representatives
[email protected] George Neville-Neil; Jim Waldo; advertising in ACM Media publications is
Sarita Adve; Jeanna Neefe Matthews
Change of address Meredith Whittaker at the discretion of ACM and is intended
BOARD C HA I R S [email protected] C ONTR IB U TE D A RTIC LES to provide financial support for the various
Letters to the Editor Co-Chairs activities and services for ACM members.
Education Board
[email protected] James Larus and Gail Murphy Current advertising rates can be found
Mehran Sahami and Jane Chu Prey
Board Members by visiting http://www.acm-media.org or
Practitioners Board
W E B S IT E William Aiello; Robert Austin; Kim Bruce; by contacting ACM Media Sales at
Terry Coatta
http://cacm.acm.org Alan Bundy; Peter Buneman; Jeff Chase; (212) 626-0686.
REGIONA L C O U N C I L C HA I R S Andrew W. Cross; Carl Gutwin;
WEB BOARD
Yannis Ioannidis; Gal A. Kaminka; Single Copies
ACM Europe Council Chair Single copies of Communications of the
Chris Hankin Ashish Kapoor; Igor Markov;
James Landay Bernhard Nebel; Lionel M. Ni; Adrian Perrig; ACM are available for purchase. Please
ACM India Council Board Members contact [email protected].
Abhiram Ranade Marie-Christine Rousset; Krishan Sabnani;
Marti Hearst; Jason I. Hong; m.c. schraefel; Ron Shamir; Alex Smola;
ACM China Council Jeff Johnson; Wendy E. MacKay COMMUN ICATION S OF THE ACM
Wenguang Chen Sebastian Uchitel; Hannes Werthner;
Reinhard Wilhelm (ISSN 0001-0782) is published monthly
AU T H O R G U ID E L IN ES by ACM Media, 2 Penn Plaza, Suite 701,
PUB LICATI O N S BOA R D http://cacm.acm.org/about- New York, NY 10121-0701. Periodicals
communications/author-center RES E A R C H HIGHLIGHTS
Co-Chairs postage paid at New York, NY 10001,
Co-Chairs
Jack Davidson; Joseph Konstan and other mailing offices.
Azer Bestavros and Shriram Krishnamurthi
Board Members ACM ADVERTISIN G DEPARTM E NT Board Members
Phoebe Ayers; Edward A. Fox; Chris Hankin; 2 Penn Plaza, Suite 701, New York, NY POSTMASTER
Martin Abadi; Amr El Abbadi;
Xiang-Yang Li; Nenad Medvidovic; 10121-0701 Please send address changes to
Animashree Anandkumar; Sanjeev Arora;
Sue Moon; Michael L. Nelson; T (212) 626-0686 Communications of the ACM
Michael Backes; Maria-Florina Balcan;
Sharon Oviatt; Eugene H. Spafford; F (212) 869-0481 2 Penn Plaza, Suite 701
David Brooks; Stuart K. Card; Jon Crowcroft;
Stephen N. Spencer; Divesh Srivastava; New York, NY 10121-0701 USA
Alexei Efros; Bryan Ford; Alon Halevy;
Robert Walker; Julie R. Williamson Advertising Sales Account Manager Gernot Heiser; Takeo Igarashi; Sven Koenig;
Ilia Rodriguez Greg Morrisett; Tim Roughgarden;
ACM U.S. Technology Policy Office [email protected] Printed in the USA.
Adam Eisgrau, Guy Steele, Jr.; Robert Williamson;
Director of Global Policy and Public Affairs Margaret H. Wright; Nicholai Zeldovich;
Media Kit [email protected] Andreas Zeller
1701 Pennsylvania Ave NW, Suite 200,
Washington, DC 20006 USA
Association for Computing Machinery S P EC IA L S EC TIONS
T (202) 580-6555; [email protected]
(ACM) Co-Chairs
Computer Science Teachers Association 2 Penn Plaza, Suite 701 Sriram Rajamani and Jakob Rehof A
SE
REC
Y

Jake Baskin New York, NY 10121-0701 USA Board Members

E

CL
PL

Executive Director T (212) 869-7440; F (212) 869-0481 Tao Xie; Kenjiro Taura; David Padua
NE
TH

S
I

Z
I

M AGA

4 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 editor’s letter

DOI:10.1145/3310359 Andrew A. Chien

Owning Computing’s
Environmental Impact
For decades, we have carried the conceit
that “computing makes everything more
efficient,” so the impact of computing
on the environment is a net positive.
But computing’s unprecedented suc- waste reached 44.7 million metric rect matching and supply following.2,8
cess has produced an explosion in its tons per year, comparable to the size Recycling programs are constructive,
use, quantity, and direct environmen- of the nine Pyramids at Giza, or 1.23 but less than 20% of e-waste is recy-
tal impact. It is time for the computing million 18-wheel trucks full of trash. cled—it is just not economic. Innova-
community to face up to computing’s This is an 8% increase from only two tive approaches to capture or render
growing environmental impact—and years earlier.7 Of this massive quanti- benign e-waste are a critical need.
take responsibility for it! And further, to ty, only a fraction is collected and recy- Computing technologies and sys-
undertake research, design, and opera- cled, with the largest fraction simply tems must be designed and shaped
tions to reduce this growing impact.a dumped into landfills or incinerated. for lower carbon and environmental
The transition to SSDs and the con- Any claims that computing is “good” impact. Here is a call to action to the
solidation of enterprise computing for the environment, must reckon computing community: Let’s adopt
into efficient cloud datacenters has for with this waste problem. goals equally ambitious to those of the
a decade blunted the impact of grow- Some computing professionals be- climate community.
ing computing use. But cloud com- lieve that Moore’s Law or Dennard scal- Let’s create technologies and sys-
puting’s extraordinary scale (200TWh, ing mitigates these problems. Far from tems that in their manufacture, con-
$200B in 2017) and ICT’s projected it, they actually exacerbate it! Efficiency struction, and operation approach the
power growth (to 21% of global power is not a solution, as 19th-century Brit- goal of 100% carbon-free and neutral
consumption by 2030)5 drive the rapid ish Economist William Stanley Jevons environmental impact!
growth of the cloud’s atmospheric car- noted in 1865, “efficiency increases
bon emissions.3,6 Computing is the consumption,” a rule widely known as Andrew A. Chien, EDITOR-IN-CHIEF
fastest-growing use of electric power Jevon’s Paradox.4
in the developed world, and is driving Carbon offsets are constructive, Andrew A. Chien is the William Eckhardt Distinguished
Service Professor in the Department of Computer Science at
the buildout of power generation and but not enough. As regions undertake the University of Chicago, Director of the CERES Center for
transmission in much of the develop- ambitious 100% renewable fraction Unstoppable Computing, and a Senior Scientist at Argonne
National Laboratory.
ing world. If the world is to meet the goals—San Diego (2035), California
Paris Accords goals for greenhouse- (2045), European Union (entire econ-
References
gas-emissions, computing must re- omy 2045)—offsets are of decreasing 1. Dreyfuss, E. How Google keeps its power hungry
duce its direct emissions. benefit. Real solutions must achieve di- operations carbon neutral. Wired (Dec. 1, 2018).
2. Google White Paper. Moving toward 24x7 Carbon-
Equally daunting is the rapid Free Energy at Google Data Centers: Progress and
Insights.
growth of waste from computing elec- 3. Greenpeace. Clicking Clean: Who is winning the race to
tronics, notably consumer products, Recycling programs build a green Internet?
4. Jevon, W. The Coal Question. Macmillan, 1865.
smartphones, and the plethora of
“smart devices” collectively termed are constructive, 5. Jones, N. How to stop data centres from gobbling up
the world’s electricity. Nature (Sept. 12, 2018).
the “Internet of Things.” In 2016, e- but less than 20% 6. Shehabi, A. et al., United States Data Center Energy
Usage Report. LBNL, June 2016.

of e-waste is recycled.
7. United Nations University.The Global E-waste Monitor
2017 (Dec. 2017).
8. Yang, F. and Chien, A.A. ZCCloud: Exploring Wasted
a Of course, I do not mean to imply that there
Green Power for High-Performance Computing,
have been no efforts to date—much to the IPDPS, May 2016.
contrary. But, rather to call for renewed and
universal engagement on this agenda. Copyright held by author.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF THE ACM 5

cerf’s up

DOI:10.1145/3310251 Vinton G. Cerf

Ownership vs. Stewardship

I
HAVE BEEN THINKING recently Interestingly, in the case of domain non-profit institutions strikes me as
about the complementary names, the assets (that is, right to quite remarkable. It might easily have
roles of stewardship and own- use) is created by the registrant who gone the other way. There is a current
ership in the context of the In- can invent new names not previously trend toward encouraging technology
ternet. A significant fraction registered and register them for use. transfer from government-sponsored
of the physical infrastructure of the In the case of Internet address space, research into the private sector. I
Internet and the equipment that ani- there is a finite amount of that space agree with the general premise that
mates the World Wide Web is private- (IPv4 has 32 bits of address space, publicly funded research should find
ly owned. Some of these components IPv6 has 128—a lot!) and the right to its way into the private sector where
are “owned” by governments and in use is meted out by ICANN to the Re- investment and hard work can pro-
some cases by cooperatives. The own- gional Internet Registries, which is in duce economic gains, jobs, and use-
ers are usually motivated by the ben- turn typically meted out to Internet ful products and services. It is none-
efits of their ownership whether that service providers who temporarily or theless fascinating to me that one
is making a profit, fulfilling govern- even dynamically allocate addresses of the largest government-produced
ment obligations, or producing ben- to end users for the purpose of their engines of economic growth and in-
efit for the group owners in the case gaining access to the Internet and its novation is so deeply dependent on
of a cooperative. There are, of course, many services. the stewardship of the people and
cases in which profit is not a motive The Regional Internet Registries institutions that administer Internet
but rather social benefit. Think of and ICANN are stewards of IP address addresses and domain names.
schools, churches, and libraries that and domain name spaces. Their role The Internet Societyc (ISOC) is an-
provide access to the Internet freely. is, to the best of their abilities, to pro- other non-profit institution, which
They are the owners of the facilities vide fair access to these assets and houses the Internet Architecture
and operate them in part to fulfill to keep track of these assignments Boardd (IAB), the Internet Engineer-
their missions. So where does stew- to ensure parties who do not have a ing Task Forcee (IETF), and the In-
ardship fit into this picture? registered right to use them cannot ternet Research Task Forcef (IRTF).
Organizations such as the Region- falsely claim or hijack them. While ISOC benefits directly from its whol-
al Internet Registriesa (ARIN, RIPE, opinions may vary as to the success ly owned, non-profit subsidiary, the
LACNIC, AFRINIC and APNIC) and of these institutions in carrying out Public Interest Registryg (PIR), which
the Internet Corporation for Assigned their missions, it strikes me as very is the steward of the .org top level
Names and Numbersb (ICANN) do not interesting that the largely private domain. The Internet Society plays
own the assets they administer. Their sector ownership of the physical an active role in reminding us of
missions are to manage the assign- Internet (including the hosts and the importance of stewardship and
ment of these assets to parties who cloud datacenters) is ultimately de- the need to heighten awareness that
have the right to use these assets in pendent on the successful steward- harmful uses of the Internet threat-
exchange for fees paid to maintain ship of a few key non-profit entities en its global connectedness and the
these assignments. In the case of for the useful application of these safety of its users. We are all in debt
domain names, the registrars are physical assets. The Web would to the stewards of the Internet. Long
often, but not always, for-profit enti- not exist in its present form with- may they serve.
ties that assist users to register and out domain names. Domain names
maintain a record of the assignment. would not be useful if they could not c http://www.isoc.org
d http://www.iab.org
The domain name registries may be mapped into IP addresses so the
e http://www.ietf.org
also be for-profit, non-profit, or even servers of those domain names could f http://www.irtf.org
government operated in the case of be reached on the Internet. g http://www.pir.org
the country-code Top Level Domains. Given the understandable eco-
nomic motivations of for-profit in- Vinton G. Cerf is vice president and Chief Internet
stitutions, the fact that the Internet Evangelist at Google. He served as ACM president from
a https://en.wikipedia.org/wiki/Regional_Inter- 2012–2014.
net_registry and the World Wide Web are depen-
b https://www.icann.org/ dent on the stewardship of a key set of Copyright held by author.

6 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 vardi’s insights

DOI:10.1145/3306448 Moshe Y. Vardi

Lost in Math?
WHE N I WA S 10 years old, my math mists, as a group, mistook beauty, clad all problem instances of length n, and
teacher started a Math Club. It was in impressive-looking mathematics, asking for upper and lower bounds on
not popular enough to last more than for truth.” algorithmic performance (usually in
a few weeks, but that was long enough So both physics and economics terms of time and memory utilization)
for me to learn about matrices and de- have, arguably, been lost in math. as a function of n. This approach is re-
terminants. When I came home, my What about computer science? Specifi- ferred to as the worst-case approach,
mother asked me how the club had cally, what about theoretical computer as it focused on the most challenging
been. “Beautiful,” I answered. “Do you science (TCS)? TCS is surely blessed problem instance of each length n. If
mean, ‘interesting’?” she inquired. with mathematical beauty. As a gradu- the upper bound that we can prove is
“No,” I said, “Beautiful!” While some ate student a long time ago, it was one of a slow-growing function, for ex-
people find mathematics befuddling, mathematical beauty that attracted ample, cn log n, for a small constant c,
others find it elegant and beautiful. me to TCS, and continued to lead my then we have a guarantee of good per-
The mathematician Paul Erdős often research for many years. I find com- formance on all problem instances.
referred to “The Book” in which God putational complexity theory (or com- But, in general, most upper and lower
keeps the most beautiful proofs of plexity theory, for short), with its theo- bound are much less useful. For exam-
each mathematical theorem. The phi- rems (for example, the time-hierarchy ple, an exponential lower bound just
losopher Bertrand Russell said, “Math- and space-hierarchy theorems) and its says some problem instances are hard,
ematics, rightly viewed, possesses not open questions (for example, P vs NP), but says nothing about the practical
only truth, but supreme beauty.” The to be hauntingly beautiful. Beauty, yes; significance of such instances.
beauty can be compelling; something but what about truth? In previous columns I have dis-
so beautiful must be true! Physical theories describe the physi- cussed this gap between theory and
But the seductive power of math- cal world, and by their “truth” we refer practice in specific settings. As I point-
ematical beauty has come under criti- to the fidelity in which they describe ed out, program termination may be
cism lately. In Lost in Math, a book pub- this world. Economic theories describe unsolvable in theory but solvable in
lished earlier this year, the theoretical economic systems, but by their “truth” practice,a while Boolean satisfiability
physicist Sabine Hossenfelder asserts we refer not only to the fidelity in which may be intractable in theory but trac-
that mathematical elegance led phys- they describe such systems but also to table in practice.b In both cases, the
ics astray. Specifically, she argues that the quality of the guidance they offer worst-case approach is simply too pes-
several branches of physics, includ- to business people and policymakers. simistic and tells us too little about
ing string theory and quantum grav- I believe complexity theory is similar algorithmic performance in practice.
ity, have come to view mathematical to economic theories in that respect. Beauty does not necessarily entail
beauty as a truth criterion, in the ab- It should not also provide a theoreti- truth. Going beyond worst-case com-
sence of experimental data to confirm cal framework in which we can study plexity is a key challenge in complexity
or refute these theories. The theoreti- the performance of algorithms, but it theory and is the subject of much cur-
cal physics community, she argues, is should also offer sound guidance to al- rent research. (See Tim Roughgarden’s
falling victim to group thinking and gorithm designers and system develop- Review Article on p. 88).
cognitive bias, seduced by mathemati- ers who use algorithms. So how good a Follow me on Facebook, Google+,
cal beauty. About 10 years ago, in the theory is complexity theory from that and Twitter.
wake of the 2008 financial crisis, the perspective?
Nobel Laureate economist Paul Krug- It is clear what it means to measure a https://cacm.acm.org/magazines/2011/7/
109895-solving-the-unsolvable/fulltext
man made the same point with re- the performance of a specific algorithm
b https://cacm.acm.org/magazines/2014/3/
spect to economics and mathematics A on a specific problem instance I. But 172516-boolean-satisfiability/fulltext
in an influential article titled “How complexity theory aims at describing
Did Economists Get It So Wrong?” His the performance of A over the space of Moshe Y. Vardi ([email protected]) is the Karen Ostrum
main answer was: mistaking math- all problem instances and it does so by George Distinguished Service Professor in Computational
Engineering and Director of the Ken Kennedy Institute for
ematical beauty for truth. “As I see abstracting away from individual prob- Information Technology at Rice University, Houston, TX, USA.
it,” wrote Krugman, “the economics lem instances. The typical way in which He is the former Editor-in-Chief of Communications.

profession went astray because econo- we do this abstraction is by considering Copyright held by author.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF THE ACM 7

 The Communications Web site, http://cacm.acm.org,
features more than a dozen bloggers in the BLOG@CACM
community. In each issue of Communications, we’ll publish
selected posts or excerpts.

Follow us on Twitter at http://twitter.com/blogCACM

DOI:10.1145/3303708 http://cacm.acm.org/blogs/blog-cacm

Smoothing the Path to ent in class. If you think they fail to be

inclusive, they probably are.

Computing; Pondering
3. Make departmental infrastruc-
ture accessible, inclusive, internation-
alized: Provide accessible classrooms,

Uses for Big Data labs, offices, websites, videos, etc. Use
international alphabets for student
names. Ask students for their pre-
Members of the Computing Research Association suggest ferred pronouns.
ways to broaden participation in computer science, 4. Measure and track: Analyze your
enrollment, demographics, etc., regu-
while Saurabh Bagchi looks at use cases for big data. larly to identify problem areas and track
changes, on your own, or with the CRA
Data Buddies.
Mary Hall, on the diversity of the field will benefit 5. Create a community for URMD
Richard Ladner, greatly from engaging the entire academic students: Sponsor student organiza-
Diane Levitt, computing research community. Many tions, and send students to Grace Hop-
Manuel Pérez-Quiñones universities will respond by expanding per, Tapia, and other celebrations of
Broadening Participation in their broadening participation efforts diversity in computing.
Computing Is Easier Than You Think to include students from groups who 6. Recruit URMD teaching assis-
https://cacm.acm.org/blogs/ are underrepresented in computing, in- tants, professors, advisors: Represen-
blog-cacm/233339-broadening- cluding women, underrepresented mi- tation matters. Students value seeing
participation-in-computing-is- norities, and students with disabilities someone who looks like them being
easier-than-you-think/fulltext (URMD). Here we list 10 small steps de- successful in their field.
December 11, 2018 partments can do toward this goal. 7. Promote undergraduate research:
The U.S. National Science Foundation 1. Organize departmental BPC ef- Work with women and URMD students
(NSF) recently introduced new require- forts at your university: Create a sign- in undergraduate research projects,
ments for the Computer and Informa- up list of diversity activities, and incen- such as through CRA’s CREU and DREU.
tion Science and Engineering (CISE) tivize faculty to participate. Create a 8. Create curriculum enhancements
Directorate programs, whereby some departmental strategic plan for broad- that appeal to diverse students: Create
funded projects must include a Broad- ening participation that faculty can introductory courses that assume no
ening Participation in Computing (BPC) support and amplify in their funded computing background, CS+X degree
Plan. To facilitate this transition, the NSF CISE proposals. Consider how to programs, service-learning, and acces-
Computing Research Association (CRA) leverage BPCnet providers as part of sibility electives.
is launching a resource portal called your departmental plan. 9. Develop the K–12 pipeline: Work
BPCnet (https://bpcnet.org), which is 2. Optics matter: Include pictures with K–12 teachers (CSTA) and im-
being funded by NSF to connect orga- of URMD students in websites and prove state curricula (ECEP) to advance
nizations that provide BPC programs printed materials. Artwork, examples K–12 computing education.
with computing departments and NSF in class, etc., should appeal to all stu- 10. Engage the community to sti­
grant proposers. These changes reflect a dents and not reinforce stereotypes. m­ulate computing interest and skills:
recognition that any significant impact The same goes for examples you pres- Organize rigorous and joyful outreach

8 COMMUNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 blog@cacm

events that bring diverse K–12 students 1. Predictive maintenance/down- 2. Interpretability. While ardent
and their families onto your campus. time minimization: Know when a com- devotees at the altar of big data are
ponent is going to fail before it fails, willing to accept the output of an algo-
From “Increasing Diversity In Computing Is Easier and swap it out or fix it. rithm like the Oracle of Delphi, many
Than You Think: Some Small Steps That Can Make A Big
Difference,” panel, 2018 CRA Conference at Snowbird, UT. 2. Inventory tracking/loss preven- of my industrial colleagues in the busi-
tion: Many industries of physical analog ness of building physical objects small
Saurabh Bagchi things have lots of moving parts; again, or large are cagey about such blind
Short Take: Big Data think of pallets being moved around. faith. Thus, our algorithms must pro-
and IoT in Practice They want to track where a moving part vide some insights or knobs to play
https://cacm.acm.org/ is now and where all it has been. “what-if” scenarios. This sometimes
blogs/blog-cacm/233312- 3. Asset utilization: Get the right runs at odds with building super-
short-take-big-data-and-iot- component to the right place at the right powerful models and algorithms, but
in-practice/fulltext time so that it can be used more often. it is our dictate from the real world to
December 10, 2018 4. Energy usage optimization: Self- make smart trade-offs.
Beyond the tremendous level of activity explanatory, and increasingly impor- 3. Streaming data and warehouse
around big data (data science, machine tant as the moral and dollar impera- data. My colleagues seem to want the yin
learning, data analytics … take your pick tives of reducing energy usage become and the yang on the same platform. The
of terms) in research circles, I wanted to more pressing. data analytics routine should be capable
peek into some of the use cases for its 5. Demand forecasting/capacity of handling data as it streams past, as
adoption in the industries that deal with planning: Self-explanatory, but firms well as old data from years of operation
physical things, as opposed to digital ob- seem to be getting better at this at short- that is sitting in a musty digital ware-
jects, and draw some inferences about er time scales. Way back in 1969, the U.S. house. This speaks to the need to extract
what conditions help adoption of the re- Federal Aviation Administration (FAA) value from the wealth of historical data,
search we do in academic circles. was predicting air traffic demands on as well as making agile decisions on the
an annual basis (http://bit.ly/2BWj5fv); streams of data being generated now.
What’s Driving the Convergence? now think of predicting the demand for 4. Unsupervised learning. This is
The convergence of Internet of Things the World Cup soccer jerseys depending entering technical-jargonland, but ba-
(IoT) and big data is not surprising at all. on which country is doing how well on a sically this means we do not want to
Industries with lots of small assets (think daily basis (http://bit.ly/2R3IcHL). have to recruit armies of people to label
pallets on a factory floor) or several large data before we can let any algorithm
assets (think jet engines) have been put- Factors Helping Adoption loose on the data. That takes time, ef-
ting many sensors on them. These sen- of Academic Research fort, legal wrangling, and we are never
sors generate unending streams of data, Academia has been agog about this completely sure of the quality of label-
thus satisfying two of the three V’s of big field of big data for, well, … seems like ing. So we would, whenever we can, use
data right there: velocity and volume. forever. We academics thirst for real unsupervised learning, which does not
Next time you are on a plane and are lucky use cases and real data and this field rely on a deluge of labeled data.
to be next to the wings, look underneath exemplifies this more than most. We
the wings and you will see an engine — if need to be able to demonstrate our Conclusion
it is Rolls Royce or GE, it may even have algorithm and its instantiation in a The domains of big data and IoT are des-
been designed or manufactured in our working software system delivers value tined to mutually propel each other. The
backyard in Indiana. Engines like these to some application domain. How do former makes the latter appear smarter,
are generating 10 GB/s of data (http:// we do that? There is a lot of pavement even when the IoT system is built out of
bit.ly/2LTsMjy) that is being fed back pounding and trying to convince our lots of small, dumb devices. The latter
in real time to some onboard storage or industrial colleagues. Again talking to provides the former with fruitful, chal-
more futuristically streamed to the ven- a spectrum, some factors seem to re- lenging technical problems. Big data
dor’s private cloud. This is one piece of cur frequently. These are not universal algorithms here have to become small,
the IoT-big data puzzle, the data genera- across application domains, but they run with a small footprint, a gentle giant
tion and transmission. This is the more are not one-off, either. in the land of many, many devices.
mature part of the adoption story (http:// 1. Horizontal and vertical. There is
bit.ly/2SzWTz3). The more evolving part a core of horizontal algorithmic rigor Mary Hall is a professor in the School of Computing at
the University of Utah, and a member of the Computing
of the big data story is the analysis of all that cuts across the specifics of the ap- Research Association Board. Richard Ladner is professor
this data to make actionable decisions, plication, but this is combined quite emeritus in the Paul G. Allen School of Computer
Science & Engineering at the University of Washington.
and that, too, in double-quick time. intricately with application-specific de- Diane Levitt is the senior director of K–12 Education at
Cornell Tech. Manuel A. Pérez Quiñones is associate
sign choices. We can snarkily call them dean of the College of Computing and Informatics
Use Cases for Collecting Big Data “hacks,” but they are supremely impor- at the University of North Carolina at Charlotte, and
professor in the Department of Software and Information
The second part of this story is in the tant pieces of the puzzle. This means we Systems. Saurabh Bagchi is a professor of electrical and
analysis of all this data to generate ac- cannot build the horizontal and throw computer engineering, and of computer science, at Purdue
University, where he leads a university-wide center on
tionable information. Talking to my in- it across the fence, but rather have to go resilience called CRISP.
dustrial colleagues, there are five major the distance of understanding the ap-
use cases for such analysis: plication context and the vertical. © 2019 ACM 0001-0782/19/3 $15.00

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF THE ACM 9

This book celebrates Michael Stonebraker’s accomplishments that led to his 2014
ACM A.M. Turing Award “for fundamental contributions to the concepts and practices
underlying modern database systems.”

The book describes, for the broad computing community, the unique nature,
significance, and impact of Mike’s achievements in advancing modern database
systems over more than forty years. Today, data is considered the world’s most
valuable resource, whether it is in the tens of millions of databases used to manage
the world’s businesses and governments, in the billions of databases in our
smartphones and watches, or residing elsewhere, as
yet unmanaged, awaiting the elusive next generation of
database systems. Every one of the millions or billions
of databases includes features that are celebrated by
the 2014 Turing Award and are described in this book.
N
news

Science | DOI:10.1145/3303710 Logan Kugler

Building a
Better Battery
How researchers are improving energy storage devices for
power generated from renewable sources like solar and wind.

T
HE WORLD’S RENEWABLE pow- Over that period, world renewable from wind and solar sources. This is
er capacity—the amount of energy production has also increased, good news for clean energy advocates
energy that can be produced from over 3.7 million gigawatt hours who hope to see our world less reliant
from sources comprising hy- to almost 5.9 million gigawatt hours. on polluting fossil fuels that contrib-
dropower, wind, solar, bio- To be clear, capacity, according to ute to climate change.
energy, and geothermal—has doubled the U.S. Department of Energy, is the Renewable power sources provide
in the last decade. From 2008 to 2017, “maximum output of electricity that “fuel” that is free and clean. This is
it went from 1,060 gigawatts to 2,179 a generator can produce under ideal highly attractive to businesses that
gigawatts, according to research from conditions,” whereas generation is generate electricity, and those that run
the International Renewable Energy what actually gets produced. on electricity. Yet sources like wind
Agency (IRENA), an intergovernmental In both cases, much of the growth, and solar are also intermittent; after
organization. according to data from IRENA, comes all, the wind stops blowing at times,

L
T

L/SA L/SB
IMAGE CREDIT: ANTONIO BACLIG

SA/SB

A flow battery in which energy is stored in a sodium-potassium alloy.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 11
news

and the sun stops shining at night. In comes in. On the grid, the right bat-
contrast, power generated from coal tery technology may be able to store
and natural gas is consistent, and able “Incumbent and release energy at far less cost than
to be ramped up and down quickly to technologies pumped-storage hydro. Some battery
meet demand. developments are also enabling the
This presents a conundrum for are still on a steep transition to electric vehicles, further
clean energy advocates. How do you cost-down curve, reducing reliance on non-renewable
make renewable energy not only fossil fuels.
cheap enough, but reliable enough, to which is challenging One of the main battery types cur-
compete with fossil fuels? for new technologies rently used for energy storage is the
The answer may lie in the types of lithium-ion battery. Lithium-ion
energy storage used to capture the to compete with,” says batteries power the handheld tech
power generated from these renew- Stanford University’s gadgets we use every day, including
able sources. Better batteries could smartphones. They also provide en-
make it possible for utility companies William Chueh. ergy storage for electric cars, and ex-
to leverage renewable energy sources tremely large lithium-ion batteries
at scale as primary power sources, are increasingly being used in power
rather than as clean backups to tradi- grids to store energy from renewable
tional dirty fuels. sources.
Lithium-ion batteries are inexpen-
Powering the Grid burned to heat water to turn turbines sive and energy-dense compared to
The power grids that charge and re- that generate electricity, releasing car- batteries made with other materials.
charge modern life are complicated bon dioxide and other contaminants They also degrade relatively slowly,
beasts, comprised of many different into the atmosphere in the process), losing just a fraction of their power af-
companies and technologies that they are (at the moment) reliable. ter each use.
make it possible to generate power, Renewable energy sources, on the “Over the past decade, we have
then route that power to homes and other hand, are clean and their fuel seen a tremendous cost reduction of
businesses. is free and abundant. However, the lithium-ion battery technology, by ap-
These grids operate on a basic power generated by water, wind, and proximately 10 times,” says William
principle: once energy is generated, solar sources must be stored some- Chueh, an assistant professor of Mate-
it is sent out for consumption. If it where after it is generated, since it is rials Science and Engineering at Stan-
is not being consumed immediately, intermittent. ford University working on renewable
it needs to be stored in some fash- The top method utilized in the energy storage technologies. “This
ion so it can be released back into U.S. for renewable energy storage is has been responsible for the boom in
the grid when end users are ready to pumped-storage hydroelectric, which electric vehicles and for storing inter-
consume it. provides 95% of grid-scale electric- mittent solar and wind electricity.”
It sounds easy in theory, but it ity storage in the country, according However, lithium-ion batteries
quickly gets complicated in practice. to the U.S. Department of Energy. have one big problem: they still are
When businesses and homes need Pumped-storage hydro utilizes mul- not priced competitively enough to be
power, they typically need it imme- tiple reservoirs to store and release used at scale on grids to store energy
diately. This means demand for grid electricity in a highly efficient and from renewable sources.
power can fluctuate a lot, and it can responsive manner, allowing power “To realize a complete penetration
fluctuate quickly. Power supply must grids to react quickly to fluctuations of batteries for storing intermittent
match demand as adequately as possi- in demand. renewable electricity, the cost needs
ble, on time and on budget. Failure to According to electric power hold- to decrease by another order of mag-
meet demand sufficiently and on time ing company Duke Energy, “Pumped- nitude, and the scalability needs to be
results in power failures or blackouts. storage hydro plants store and gener- greatly improved,” says Chueh.
Failure to meet demand on-budget ate energy by moving water between Those developments are unlike-
means a power provider eventually two reservoirs at different elevations.” ly, says Ben Schiltz, head of Energy
goes out of business. When demand is low, “Excess energy Storage Communications at the U.S.
This is where the benefits of fossil is used to pump water to an upper res- Department of Energy’s Argonne Na-
fuels become evident. Fossil fuel-pow- ervoir.” When there’s high demand, tional Laboratory, which has multiple
ered energy plants generate consis- the water is released from the upper energy storage research projects in
tent power, since humans, not nature, reservoir to generate power. progress.
control their fuel sources, and the However, building these storage “Today, the industry continues to
different fossil fuel power generation systems requires massive time and re- make incremental improvements to
technologies (such as coal, oil, and source investments, and the location lithium-ion batteries. However, we
natural gas) can be scaled up or down of these storage systems is highly de- are reaching the theoretical limit of
to meet demand fluctuations. Despite pendent on geography. what can be done with these batter-
being dirty (basically, the fuels are This is where battery technology ies,” Schiltz says. “Developing safe

12 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 news

new battery technologies with higher irregular discharging than lead-acid ping point for widescale adoption of
energy capacity, lower cost, and lon- batteries, according to O’Connor. electric cars, according to Bloomberg.
ger life, that can also be charged and While lead-acid and lithium-ion Despite these advances, commer-
discharged fast, is very challenging. technologies duke it out over marginal cially viable and scaleable grid-ready
Oftentimes you can improve one [fac- cost reductions and efficiency gains, alternatives to lithium-ion batteries
tor] at the expense of others.” advances and improvements in flow remain to be seen.
This situation has researchers batteries may just be getting started. “Incumbent technologies are still
hunting for alternative technolo- Chueh, Baclig, and a team of re- on a steep cost-down curve, which is
gies to store energy from renewable searchers have developed a new type challenging for new technologies to
sources. of flow battery that could eventually compete with,” says Chueh. However,
be a low-cost, high-power alternative Chueh is confident that, given a long-
Alternative Energy Storage to existing energy storage methods. enough timeline, alternative grid bat-
There are many alternatives when it According to Stanford, “The group teries will be part of the answer to scal-
comes to grid energy storage, says An- found a suitable ceramic membrane ing renewable power storage.
tonio Baclig, a renewable energy stor- made of potassium and aluminum ox- “Batteries used at the grid scale will
age researcher at Stanford and a mem- ide to keep the negative and positive look more like a chemical plant, rath-
ber of Chueh’s team. materials separate while allowing cur- er than the batteries used in electric
“Lithium-ion is now the front- rent to flow.” The membrane “doubled vehicles, drones, and robots today,”
runner for grid storage batteries, but the maximum voltage of conventional Chueh says.
lead-acid batteries are a low-cost alter- flow batteries, and the prototype re-
native, and flow batteries are continu- mained stable for thousands of hours
Further Reading
ing to improve,” he says. Lead-acid of operation.”
batteries are solid batteries used in With those advances, says Chueh, May, G.
automotive applications. Rechargable “We aim to simultaneously achieve Lead batteries for utility energy storage:
flow batteries, however, use liquids in- high energy density, lifetime, and re- A review, Journal of Energy Storage,
February 2018,
stead of solids to conduct electricity, duced cost.” https://www.sciencedirect.com/science/
which may give researchers more op- However, this new flow battery is article/pii/S2352152X17304437
tions to find chemical combinations still in the prototype phase. While
that dramatically improve efficiencies promising, it will not be mass-pro- O’Connor, J.
Battery Showdown: Lead-Acid vs.
and reduce costs. duced any time soon. Lithium-Ion, Medium, Jan. 23, 2017,
Lead-acid batteries have the “larg- Another new battery type that is https://medium.com/solar-microgrid/
est market share for rechargeable commercially farther along in scal- battery-showdown-lead-acid-vs-lithium-ion-
batteries,” according to research pub- ing the storage of renewable energy is 1d37a1998287
lished in The Journal of Energy Storage the zinc-air battery, a metal-air battery Penn, I.
by Geoffrey May, Alistair Davidson, powered by oxidizing zinc with oxygen Cheaper Battery Is Unveiled as a Step to
and Boris Monahov. Much of the mar- from the atmosphere. These batteries a Carbon-Free Grid, The New York Times,
ket for these batteries is in traditional have high energy densities, and are Sept. 26, 2018
motor vehicles—standard car batter- relatively inexpensive to produce. Late https://nyti.ms/2MiFwAj
ies. last year, energy storage technology Whiteman, A.
While lead-acid batteries are rela- company NantEnergy and its billion- Renewable Energy Statistics 2018,
tively inexpensive and widely avail- aire founder Patrick Soon-Shiong an- International Renewable Energy Agency,
able, they do have some drawbacks: nounced they had developed a battery July 2018
http://www.irena.org/publications/2018/Jul/
for one, they are heavy, which makes that uses zinc and air to store renew- Renewable-Energy-Statistics-2018
them less than ideal for electric cars able energy.
(Tesla’s vehicles, for example, use lith- This zinc-air battery has been test- Uria-Martinez, R.
ium-ion batteries.) ed “in Africa and Asia, as well as cell- 2017 Hydropower Market Report, U.S.
Department of Energy, April 2018
The real advantage of lead-acid phone towers in the United States for http://bit.ly/2TWJUaN
over lithium-ion has historically been the last six years, without any backup
cost, but that is changing. Research from utilities or the electric grid,” ac- Pumped-Storage Hydro Plants, Duke Energy
by Joe O’Connor, manager of applica- cording to The New York Times. The http://bit.ly/2MfvhN6
tion engineering at battery technology company claims the new battery can What’s the Difference Between Installed
company Farasis Energy Inc., showed store and release electricity at a cost Capacity and Electricity Generation?, U.S.
that while individual lead-acid batter- of less than $100 per kilowatt-hour Department of Energy, Aug. 7, 2017
ies are cheaper to buy than lithium- (kWh). In comparison, Elon Musk http://bit.ly/2MhLrWv
ion batteries, the total lifecycle cost told shareholders that Tesla was
Logan Kugler is a freelance technology writer based
for off-grid lithium-ion batteries is working to get to that price point for in Tampa, FL, USA. He has written for over 60 major
reaching parity with that of lead-acid its lithium-ion battery cells by the publications.
batteries. end of last year.
Lithium-ion batteries require little The $100/kWh mark is seen in the
maintenance and are more resilient to energy storage community as a tip- © 2019 ACM 0001-0782/19/3 $15.00

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 13
news

Technology | DOI:10.1145/3303851 Esther Shein

Exoskeletons Today
Wearable mobile machines integrate people and machines
to assist the movement-impaired, and amplify the capabilities
of industrial and defense workers while protecting them from injury.

M
I LLI O N S OF PE OPLE suffer
from the effects of spinal
cord injuries and strokes
that have left them para-
lyzed. Millions more
suffer from back pain, which makes
movement painful. Exoskeletons are
helping the paralyzed to walk again,
enabling soldiers to carry heavy loads,
and workers to lift heavy objects with
greater ease.
An exoskeleton is a mechanical de-
vice or soft material worn by a patient/
operator, whose structure mirrors the
skeletal structure of the operator’s
limbs (joints, muscles, etc.). The struc-
ture works in tandem with the person
wearing it, and it is utilized to amplify
their capabilities, serving as an assis-
tive device, haptic controller, or for re-
habilitation purposes, says Rian Whit-
ton, an analyst at technology market A Ford worker wearing the EksoVest, which provides lift assistance for repetitive
intelligence firm ABI Research. The overhead tasks.
firm is forecasting 150,618 exoskel-
eton shipments in 2028 and $2.9 bil- ment of the Massachusetts Institute Alternatively, an exoskeleton robot
lion in revenue in 2028, up from $104 of Technology (MIT), agrees. Until could be mounted around the person’s
million in 2018. the 1970s and 1980s, he recalls, the arm to help them bring the spoon to
The technology has been around perception was that the brain was their own face.
since the 1960s; during the Cold War, hardwired, and there was not much “Both have value, and it depends on
however, the focus was mainly on re- that could be done for a person who what the application is,’’ Krebs says.
search and exploration, Whitton says. suffered a stroke. Today, the concept “Now you can think of [exoskeletons]
Research and development activity of neuroplasticity, the brain’s ability … not just in rehabilitative medicine,
picked up again in 2017, he says, when to form new neural connections, has but in the aging of the population or
exoskeletons began to gain regulatory shown that a person’s brain function- for workers in factories, depending on
approval and were popularized in the ing can grow stronger after suffering what the goal is.”
health market. a stroke, says Krebs. Krebs and a team at MIT created a
“You have this increased market due When Krebs began his research, his plastic exoskeleton known as Anklebot
to the number of veterans with spinal goal was to “create tools to help a clini- during 2003–2004. Anklebot is mount-
cord injuries resulting from conflicts cian take advantage of the nurture that ed around a person’s ankle to help
post-9/11, and the prosthetics market we could offer over the nature.” them after a stroke, since many stroke
and robotic limbs market was acceler- Applying robotics using concepts victims cannot lift their ankles to clear
IMAGE COURTESY OF EKSO BIONICS A ND FORD

ated because of that now,’’ Whitton from neuroscience is helping people re- the floor when walking, he says. The
says. “So you could argue the military cover what they lost, he says. “It’s not a Anklebot is designed to help the per-
… had a stimulating effect.” cure, but it improves care … This is the son propel him/herself forward and
That said, exoskeletons are still in a direction of rehabilitative technology.” clear the floor by lifting the ankles so
“very nascent state,’’ Whitton adds. There are different types of robot- they don’t fall.
Hermano Krebs, the self-described ics. In one scenario, a robot might be Today, Krebs says, many U.S.-based
“father of rehabilitative robotics” mounted on a wheelchair and feed a companies have commercialized the
and principal research scientist in person by bringing a spoon to their Anklebot to treat patients, while sev-
the Mechanical Engineering Depart- face, which is an assistive application. eral others have developed their own

14 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 news

technologies for helping post-stroke pa-

tients lift their ankles. One is Japanese-
Exoskeletons can be
ACM
based Yaskawa, which also has an ankle
robot to help stroke patients. Krebs also
started a new company called 4Motion
beneficial in helping Member
Robotics, which will be designing an an- workers avoid injuries News
klebot and other exoskeletal products. and stay on the job
Increased use of exoskeletons is
also being driven by re-shoring, the longer because HELPING PEOPLE THROUGH
INFORMATION CENTRICITY
bringing back of manufacturing jobs they “amplify “Many of us in
research are
to the U.S. from offshore, notes Whit-
ton. Exoskeletons can be beneficial in human performance,” very fortunate
because we get
helping workers avoid injuries and stay which results in to do what we
love,” says K.K.
on the job longer because they “ampli-
fy human performance,” which results a productivity gain. Ramakrishnan,
professor of computer science
in a productivity gain. and engineering at the
“There is an acute labor shortage University of California,
in industrial jobs here; there is a low Riverside (UC Riverside).
Ramakrishnan’s research
participation rate and a lot of people is focused on network
are feeling the pinch and [companies a company to recoup its initial in- architecture, protocols, and
are] struggling to grow and raise pro- vestment because they are extremely systems. He is author of more
250 papers, and has 170 patents
ductivity due to a lack of workers and expensive right now, notes Whitton. issued in his name.
also an aging workforce.” Already, An upper-body exoskeleton designed He earned his bachelor’s
people are retiring later, he noted, “so to amplify human performance runs degree in electronic engineering
in a sense, this is a way of extending about $30,000, he says, “but the price from Bangalore University in
India, and his master’s degree
human life and extending their time is coming down, and eventually these in engineering from the Indian
in the labor force.” technologies will be commoditized.” Institute of Science (IISc), also
Couple those factors with injuries Additionally, he anticipates the cost in Bangalore.
on construction sites and mining op- of an exoskeleton will shift from hard- While at IISc, Ramakrishnan
used a computer for the first
erations, and you can understand why ware to software and robotics as a time, and was attracted to learn
exoskeletons are being eyed as a way to service with a monthly subscription more about the computer arena
extend the life of the worker, because model; this, he believes, will lower the because it was so intuitive.
Computer science was a natural
they can amplify performance. barrier to adoption. fit for him, and he earned his
Take, for example, a Milwaukee Jerryll Noorden, a Connecticut- Ph.D. in computer science from
Grinder, a power tool mainly used to based real estate investor, is also the University of Maryland.
grind metal in discrete manufactur- bullish on exoskeletons. Prior to real Ramakrishnan began his
professional career at Digital
ing, and a piece of equipment that estate, Noorden was the mechani- Equipment Corporation (DEC)
can weigh 15 lbs. or more, Whitton cal lead engineer on the National in 1983. He left DEC in 1984
says. An exoskeleton with a third zero- Aeronautics and Space Administra- to take a position with AT&T,
where he worked through 2013,
gravity arm could pick it up without tion (NASA) X1 Exoskeleton, as well the year he joined the faculty of
requiring any exertion on the part of a as working at the Florida Institute UC Riverside.
worker, he says. for Human & Machine Cognition Currently, Ramakrishnan’s
That appeals to home improve- (IMHC), a research institution of the research is focused on two
areas. The first is using
ment chain Lowe’s, which tested exo- State University System of Florida. information centricity for
suits in April 2017 at its Christians- Noorden believes so much in the vi- disaster management, to
burg, VA, location, in partnership with ability of exoskeletons that he says deliver more timely, relevant,
Virginia Polytechnic Institute and useful information to aid first
he is planning to donate some of the
responders. The second is to
State University (Virginia Tech). “We proceeds from his business to exo- continue making networks
gathered feedback from the test and skeleton research and development. more flexible and agile through
are now using the data to help define While working at IHMC in 2007, software-based functionality.
Ramakrishnan observes
the next phase of the program,’’ says Noorden and others developed a pro- that networks have become
a Lowe’s spokesman, who declined to totype for an exoskeleton, which he ubiquitous, and that much of
provide further details. says was “not very successful” because our life is centered around a
Ford Motor Co. is also testing at a motor was required for each joint to connected world. As a result, he
says, the future lies in making
one of its assembly plants a wearable introduce movement. “The stronger these networks “more robust,
exoskeleton called EksoVest to help re- the motor, the bigger it has to be, and convenient, and secure.”
duce shoulder injury, which is an issue that is the huge issue with motors right —John Delaney
in assembly line work. now,’’ Noorden explains. “The more
The flip side of exoskeletons, how- power, the bigger the motor, and of
ever, is that it could take a while for course, it becomes heavier.”

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 15
news

The IHMC team came up with a mentary, the aim is to track historical
second prototype, called Mina, in data about worker body positioning
the 2008–2009 timeframe, which was “Ultimately, you want and to track [an] exosuit’s location
much more successful, according to to devise something through the workspace.”
Noorden. At that point, he was con- Significant progress needs to be
tracted by IHMC to NASA, which he transparent that will made on the social side, too. “There
says was interested in the technology help move you and needs to be a greater sense of their
to help astronauts exercise in space. transformative potential and the po-
However, after dealing with the fall- assist you but won’t tential to get sufficient ROI in a suffi-
out of budget cuts at NASA, Noorden hold you back. But cient amount of time,’’ Whitton adds.
decided to go out on his own and start Exoskeletons are “a capital-intensive
a real estate investing business, “so we’re not there yet.” technology and we don’t know when
that I could continue doing research the ROI will be. I think that will change
without having to ask the government over time as they are deployed by big-
for funding.” ger companies.”
In the meantime, several things
need to happen for exoskeletons to
Further Reading
improve, observers say. Like Noor- In healthcare, the main goal is to
den, Krebs says, “We’re still not make exoskeletal devices “essentially Rupal, B.S., Rafique, S., Singla, A.,
Singla, E., Isaksson, M., and Virk, G.S.
only trying to hide the hardware, but disappear” and become “soft exo-
Lower-limb exoskeletons: Research trends
make it lighter. Many of the actua- skeletals.” Many people are working and regulatory guidelines in medical and
tors and motors are still bulky, and right now on incorporating such sys- non-medical applications, International
it’s not easy to reduce the weight of tems into clothing, Krebs says, such Journal of Advanced Robotic Systems, 2017.
the devices.” If the weight is reduced, as a pair of pants with wires or cables Luo, J., Pan, B., and Fu, Y.
“many times we don’t have the be- that would be able to assist a person’s Experiment research of human lower
havior we need,” meaning when the mobility. One is an Israeli company extremity exoskeleton robot,
Proceedings of the 32nd Chinese Control
motor becomes smaller, it becomes called ReWalk Robotics, which has
Conference, 2013
more difficult for a person to move. partnered with The Wyss Institute at https://ieeexplore.ieee.org/
“Ultimately, you want to devise some- Harvard University to make assistive document/6640490/authors#authors
thing transparent that will help move exosuits devices for people with low- Baldovino, R., and Jamisola, R.
you and assist you but won’t hold you er-limb disabilities. A Study on the State of Powered-
back. But we’re not there yet.” Whitton thinks that as a result of Exoskeleton Design for Lower Extremities,
Not only is the goal to make a exo- the cost and “complexity of the health 5th International Conference on Humanoid,
skeleton device lighter, but also for Nanotechnology, Information Technology,
supply chain,” due to a strict regulatory
Communication and Control, Environment,
it to behave in a way that people feel environment and the need to tailor an and Management 2009 (HNICEM 2009)
good about it, so it does not hold them exoskeleton to an individual, health- http://bit.ly/2HhaWIl
back or prevent them from doing a care will not be the biggest market for Neuhaus, P.D., Noorden, J.H., Craig, T.J., Torres,
particular movement. “This balance exoskeletons. He anticipates greater T., Kirschbaum, J., and Pratt, J.E.
is what makes engineering difficult,” adoption in industries like manufac- Design and Evaluation of Mina a Robotic
Krebs says. turing, mining, and defense. Orthosis for Paraplegics, Proceedings
Yet, Krebs believes within 10 years “In many cases, a robot isn’t suffi- of the 2011 International Conference on
Rehabilitation Robotics (ICORR 2011),
the technology will have come far ciently adaptable or dexterous to per- Zurich, Switzerland
enough that it will be “far more avail- form a wide number of tasks,’’ Whitton http://bit.ly/2Ct9E7H
able in multiple settings.” explains, whereas industrial and mo- Kwa, H.K., Noorden, J.H., Missel, M., Craig, T.,
He also thinks exoskeletons will be bile robots and exoskeletons are aimed Pratt, J.E., and Neuhaus, P.D.
front and center at the Tokyo Summer at assisting human workers to enable Development of the IHMC Mobility Assist
Olympics games in 2020. Toyota’s them to do more, and more easily. Exoskeleton, Proceedings of the 2009 IEEE
Partner Robot division has developed Whitton also foresees the systems International Conference on Robotics and
Automation, (ICRA ’09), Kobe, Japan
a device to exercise the knee of a pa- becoming lighter and more dexterous http://bit.ly/2Fzn2uJ
tient, and many other Japanese-based and expects them to be deployed like
Gui,L., Yang, Z., Yang, X, Gu, W., and Zhang, Y.
companies also are working on exo- Internet of Things (IoT) devices with Design and Control Technique
skeleton rehabilitation devices, he artificial intelligence (AI) capabili- Research of Exoskeleton Suit,
says. “I think the [Tokyo] Paralym- ties such as data analytics, to moni- IEEE International Conference on
pics will be more interesting than the tor worker performance and measure Automation and Logistics, 2007
regular Olympics,” he says, “because when a worker might be most at risk https://ieeexplore.ieee.org/
document/4338624/authors#authors
there will be lots of demonstrations of for injury. Exoskeletons are going to
technology to help people move,” due be laden with sensors and will be con-
Esther Shein is a freelance technology and business
to the number of Japanese companies nected with other wearables like mo- writer based in the Boston area.
that are working on exoskeletal tech- bile control panels, he says. “While
nology now. current systems are somewhat rudi- © 2019 ACM 0001-0782/19/3 $15.00

16 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 news

Society | DOI:10.1145/3303847 Keith Kirkpatrick

Electronics Need
Rare Earths
Demand is expected to spike over the next few years,
leading to higher prices and international trade issues.

R
ARE-EARTH ELEMENTS are spe- 1990s, Chinese-based mining compa-
cial minerals used in a nies began developing rare-earths op-
wide variety of consumer In the 1990s, mining erations, and other mines around the
and industrial products. companies in China world simply could not compete, due
Though they have exotic- to the lower cost of operations at the
sounding names, such as neodymium, began focusing on Chinese mines and processing facili-
scandium, and dysprosium, they are rare earths; mines ties. As a result, Chinese-based compa-
abundant right here on Earth. They are nies wound up controlling more than
considered rare, however, because they in other countries 90% of the market by the late 1990s,
appear in very small concentrations. could not compete and prices remained relatively steady.
In addition, the process used to However, in 2010, China cut its ex-
separate them from the rocks in which with low-cost port quotas for rare earth exports, and
they occur is extremely difficult, be- Chinese mining rare earth prices skyrocketed. Further-
cause the elements have the same ionic more, a territorial dispute with Japan
charge and are similar in size. Typical and processing. led China to halt exports to that coun-
separation and purification processes try for two months, proving its control
often require thousands of extraction over rare earths could also be a weapon
and purification stages to be carried in any sort of international dispute.
out. As such, there is a significant pre- Speculators hoarded rare earth miner-
mium attached to these materials, and als, sending prices soaring. Seeing that
several market and geopolitical forces years, driven by an increase in the use the Chinese government was actively
may cause them to escalate in value. and production of items that are manu- using its control over the rare earths
Rare earths are metallic elements, factured using rare earths. For exam- market to get what it wanted, new rare
and therefore contain unique properties, ple, in 1998, cellular telephones, which earth production facilities were started
including high heat resistance, strong have batteries that require rare earth in the U.S., Australia, Russia, Thailand,
magnetism, high electrical conductivity, elements, were used by just 5.3% of the Malaysia, and other countries.
and high luster. These specific proper- global population, according to Inter- A potential trade war between Chi-
ties make them well suited for use in a va- national Telecommunications Indus- na and the U.S., a net importer of rare
riety of products, including cellphones, try data. By 2017, the penetration rate earths, combined with an expected rise
batteries, loudspeakers, lights, magnets, of cellphones worldwide had reached in demand for rare earths over the next
and even wind turbines. In addition, 103.4% (exceeding 100% due to owner- few years, could contribute to rising rare
they are often key elements used in the ship of multiple devices). earth prices.
creation of components used in everyday Other products, such as electric vehi- When prices of rare earths spiked
objects, such as light-emitting diodes cles and wind turbines, were just in the in the past, manufacturers were able
(LEDs), fiber optics, compact fluorescent prototype phase two decades ago, but to get their engineers to reduce the
lights, and are used as catalysts, phos- have since seen significant commercial requirements for rare earths in some
phors, and polishing compounds for air deployment, with positive demand fore- products, such as reducing or eliminat-
pollution control, illuminated screens cast over the next several decades. As a ing the use of europium and terbium
on electronic devices, and the polishing result, demand for rare earth elements in fluorescent lighting products, says
of optical-quality glass. is likely to grow over time; combined Pierre Neatby, vice president of sales
Some of the rare-earth metals (and with a relatively limited base of suppli- and marketing with Avalon Advanced
their atomic weights) that are com- ers, rising demand could drive up the Materials, Inc., a Canadian mineral de-
monly used in electronics include lan- cost of rare earths for manufacturers, velopment company with three mining
thanum (57), cerium (58), neodymium both in the U.S. and around the globe. projects expected to enter commercial-
(60), samarium (62), europium (63), As recently as 30 years ago, rare ization, including rare earth elements
terbium (65), and dysprosium (66). earths were mined and processed in tantalum, niobium and zirconium.
The demand for rare earths is ex- various countries around the world, in- A new red phosphor that uses
pected to increase over the next several cluding the U.S. However, in the early Manganese4+ (Mn4+) activated fluo-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 17
news

ride compounds was developed to re- The Mountain Pass mine was ac- worth of rare-earth materials under-
place rare earth materials in lighting. quired last year by U.S.-owned consor- neath Japanese waters, essentially
However, Neatby says, some products tium MP Mine Operations LLC, after enough to supply to the world on a
simply require rare earths in order to being shuttered since 2015 by its pre- “semi-infinite basis,” according to a
provide the level of performance de- vious owners, MolyCorp. Inc., when study published in Nature Publishing
manded by customers. that firm went bankrupt. Mountain Group’s Scientific Reports.
Indeed, suitable substitutes for neo- Pass operations were restarted in 2018, However, the major challenge in-
dymium magnets, which are valued with the mine’s rare earth compounds volves efficiently and cost-effectively
because they are extremely powerful now being shipped to China for separa- separating these rare earths, and a
and lightweight, have yet to be found, tion into individual rare-earth oxides, consortium of Japanese government-
Neatby says. “So, the neodymium mag- though steep tariffs are likely to nega- backed entities, companies, and re-
net is still the most powerful magnet in tively impact the company’s ability to searchers plans to conduct a feasibility
the world, and for [electric] car applica- compete against Chinese producers. test within the next five years.
tions, you do want the smallest, light- “The Chinese are still the kings of Still it is likely that, regardless of the
est, motor, because the heavier the downstream production of materials outcome of any trade negotiations to
car, the bigger the engine has to be in that use rare earths; Molycorp has gone reduce or eliminate tariffs, or the de-
order to move it forward,” Neatby says. bankrupt, and the only outside signifi- velopment of a new way to extract rare
“Whether it’s an F-35 [fighter jet], a big cant producer of rare earths is Lynas earths from new deposits, U.S. manu-
submarine, or electric car, rare earth (Corporation of Australia), but they’re facturers’ best hope for securing rare
magnets are going to be used.” producing essentially light rare earths,” earths will be the redevelopment of a
Production of military equipment, Neatby says. “All of the heavy rare earths domestic rare earths industry.
such as the aforementioned F-35, is at still come from China, and you have a A source close to MP Mine Opera-
risk of being impacted by the escalating situation where electric vehicles in the tions said that the company’s operat-
U.S.–China trade war, as are other key future are going to use electric motors ing plan is to create processing capac-
pieces of military equipment, such as that use rare earths, and demand is ity to allow a full, end-to-end mining,
night-vision goggles, precision-guided starting to pick up.” extraction, and processing capability
weapons, communications gear, GPS Due to the threat of the supply of in the U.S. within 18 months, which
systems, batteries, and other defense rare earths being cut off, many compa- may help to alleviate the pressure on
electronics, each of which requiring nies have stockpiled larger supplies of the market. According to a source
rare earth metals as key ingredients. rare earths. Despite the forces impact- close to the company, MP Mine Oper-
A provision in the National Defense ing the supply side of the market, de- ations is trying to create an American
Authorization Act signed into law in mand is likely to remain strong. supply chain and is hoping the U.S.
August 2018 bars the U.S. Department “In general, you’ve got a rare earth mar- government will pressure China to re-
of Defense (DoD) from buying perma- ket that is quite solid,” Neatby says. “All of duce or eliminate import tariffs that
nent rare-earth magnets made in Chi- the applications that were probably not affect the company.
na after December 2018. As there is no economic have gone away, and so now James Litinsky, chief executive officer
domestic source of the materials used [the market] is efficient, and focused on of JHL Capital Group LLC, the major-
to make those magnets large enough to neodymium and presidium, and maybe ity owner of the Mountain Pass consor-
support current demand, the measure a bit of dysprosium for high-temperature tium, told Bloomberg News last Septem-
will likely force the DoD to purchase magnets. And traditional applications ber that Mountain Pass’ “self-sufficiency
rare earths from Japanese producers of for lanthanum, cerium, for lanthanum will serve as a foundation for an Ameri-
rare-earth elements, the main source for cracking catalysts for oil and gas, con- can-based rare earths industry.”
for rare earths outside China. tinue to be used. Those are bigger vol-
The U.S. Geological Survey estimated umes, but [account for] less value.”
Further Reading
U.S. manufacturers consumed 11,000 The most prudent strategy to ensur-
tons of rare earth elements in 2017. ing the steady supply of rare earths to Rare Earth Technology Alliance,
Although the Trump administration manufacturers around the world is to What Are Rare Earths?,
backed down from imposing steep tar- increase mining and refining outside http://www.rareearthtechalliance.com/
What-are-Rare-Earths
iffs on rare-earth elements from China of China. The only current major rare
after appeals from U.S industrial con- earths producer outside of China is Ly- Coyne, K.
Moving Past Neodymium: Scientists
sumers of the elements, China has not nas, which operates the Mount Weld Explore Alternative to Expensive Rare Earth
reciprocated, and U.S. rare earth exports mine in Western Australia, and produces Element, R&D Magazine, September 27,
have been hit with a 10% duty now, more than 5,000 metric tons of neodym- 2017, http://bit.ly/2OUwHkK
which could rise to 25% later this year. ium and praseodymium (NdPr) per year, Video: Super Elements BBC Documentary
This tariff is expected to negatively im- with most of its output committed to on Rare Earths (2017): https://www.youtube.
pact the sole U.S. rare earth mine in op- Japanese buyers. Other projects in Aus- com/watch?v=GOBKa4vxAOE
eration, located at Mountain Pass, CA, tralia, Russia, and Brazil are set to enter
and the ability of the U.S. manufactur- production over the next several years. Keith Kirkpatrick is principal of 4K Research &
Consulting, LLC, based in Lynbrook, NY, USA.
ers to reestablish a self-sufficient rare Moreover, there was a large dis-
earths manufacturing industry. covery last year of hundreds of years’ © 2019 ACM 0001-0782/19/3 $15.00

18 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 SHAPE THE FUTURE OF COMPUTING.
JOIN ACM TODAY. www.acm.org/join/CAPP

SELECT ONE MEMBERSHIP OPTION

ACM PROFESSIONAL MEMBERSHIP: ACM STUDENT MEMBERSHIP:
q Professional Membership: $99 USD q Student Membership: $19 USD
q Professional Membership plus q Student Membership plus ACM Digital Library: $42 USD
ACM Digital Library: $198 USD q Student Membership plus Print CACM Magazine: $42 USD
($99 dues + $99 DL) q Student Membership with ACM Digital Library plus
Print CACM Magazine: $62 USD

q Join ACM-W: ACM-W supports, celebrates, and advocates internationally for the full engagement of women
in computing. Membership in ACM-W is open to all ACM members and is free of charge.

PAYMENT INFORMATION

Name
Purposes of ACM
ACM is dedicated to:
Mailing Address 1) Advancing the art, science, engineering, and application
of information technology
2) Fostering the open interchange of information to serve
both professionals and the public
City/State/Province
3) Promoting the highest professional and ethics standards
ZIP/Postal Code/Country
By joining ACM, I agree to abide by ACM’s Code of Ethics
q Please do not release my postal address to third parties (www.acm.org/code-of-ethics) and ACM’s Policy Against
Harassment (www.acm.org/about-acm/policy-against-
harassment).
Email Address
I acknowledge ACM’s Policy Against Harassment and agree
q Yes, please send me ACM Announcements via email that behavior such as the following will constitute
q No, please do not send me ACM Announcements via email grounds for actions against me:

q AMEX q VISA/MasterCard q Check/money order • Abusive action directed at an individual, such as

threats, intimidation, or bullying
• Racism, homophobia, or other behavior that
Credit Card #
discriminates against a group or class of people
Exp. Date • Sexual harassment of any kind, such as unwelcome
sexual advances or words/actions of a sexual nature
Signature

BE CREATIVE. STAY CONNECTED. KEEP INVENTING.

ACM General Post Office 1-800-342-6626 (US & Canada) Fax: 212-944-1318
P.O. Box 30777 1-212-626-0500 (Global) [email protected]
New York, NY 10087-0777 Hours: 8:30AM - 4:30PM (US EST) acm.org/join/CAPP
V
viewpoints

DOI:10.1145/3306610 Pamela Samuelson

Legally Speaking
Questioning a New
Intellectual Property Right
for Press Publishers
Considering the implications of the “link tax” provision of the proposed
EU Directive for the Digital Single Market for traditional press publishers.

S
HOULD E U ROPE AN PRE SS vember 2018, these rights would last transition to digital publishing has
publishers be granted a for one year. been challenging and required experi-
new intellectual property Critics of Article 11 have tried to mentation with new business mod-
(IP) right over online uses of blunt somewhat the scope of this new els. Press publishers are fearful these
their journalistic contents? right. For instance, the Parliament’s business models will not suffice to
These publishers have long had both version of Article 11 would provide sustain their industry.
copyright and sui generis database IP that the right “shall not extend to The moral argument said to sup-
protections for these contents. Yet the mere hyperlinks which are accom- port the new press publishers’ right
European Commission, Council, and panied by individual words.” But the arises from a sense of unfairness that
Parliament have been convinced that Council and the Commission have technology companies (think Google)
only by granting the new IP right will not exactly agreed to this change or to and online news aggregator services
sustainable quality journalism con- the Parliament’s proposed exception (for example, Meltwater) are making
tinue to be produced in the EU. Despite for “legitimate private and noncom- money, either from advertising or from
some strong opposition, this proposal mercial uses” by individual users; ne- subscriptions, by providing members
seems likely to be adopted and made a gotiations to finalize the text of this of the public with free access to their
mandatory part of EU law. Directive are ongoing and likely to be news, through links and snippets,
Sometimes known by its critics as concluded in 2019. without compensating the publishers
the “link tax” provision, Article 11 of who provided that news.
the proposed Directive for the Digi- Arguments for the Press A secondary argument has focused
tal Single Market (DSM) would grant Publisher Right on difficulties that press publishers
press publishers a new set of exclusive It is no secret that these are trying have sometimes encountered in prov-
rights to control the reproduction and times for press publishers. Paid sub- ing copyright ownership in articles
making available of online journal- scriptions have generally declined, written by freelancers when suing
istic contents by information society readership has eroded, and adver- search engines or news aggregators.
service providers. Under the proposed tising revenues that long supported Some momentum for the press pub-
compromise text made public in No- print journalism have shrunk. The lisher right has built up in the last few

20 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

years, taking advantage of a general After the German law passed, press a result, estimated traffic to Spanish
sense of hostility in the EU toward ma- publishers authorized VG Media, their news sites declined by somewhere be-
jor technology U.S. companies. Google, collecting society, to establish 6% of tween 6% and 30%. Search engines and
Apple, Facebook, and Amazon (aka gross revenues as the license fee it news aggregators, it turned out, had
GAFA) are chief among them. should collect from technology firms driven traffic to Spanish news sites.
Complaints are legion that these for rights to make online uses of the Very few licenses have issued under the
firms have abused their dominant po- publishers’ journalistic contents. Ac- Spanish law.
sitions, been responsible for fake news cording to a report commissioned by
and privacy breaches, and/or shown a European Parliament committee Why Many Oppose the
indifference toward other firms’ IP (whose lead author is the well-known Proposed New IP Right
rights. EU policymakers have been per- copyright scholar Lionel Bently), In April 2018, a group of 169 IP aca-
suaded that there is a “value gap” that Google refused to pay such a fee and demics sent a statement to the EU
digital technology companies should eventually got some free licenses.1 Parliament strongly opposing Article
fill by licensing content from EU press These licenses notwithstanding, 11.4 There was, it said, “no indication
publishers, among others. VG Media sued Google for violating whatsoever that the proposed right
this right. A German court stayed the will produce the positive results it is
IMAGE BY ALICIA KUBISTA /A ND RIJ BORYS ASSOCIAT ES

Lessons from Germany and Spain proceedings so that the Court of Jus- supposed to.” Moreover, “considering
A few years before the DSM Directive tice of the EU (CJEU) could address the current high levels of market con-
was proposed, press publishers per- a question about the validity of the centration on online advertising mar-
suaded the German and Spanish legis- law. As of 2017, the society had issued kets and in media, a publishers’ right
latures (in 2013 and 2014 respectively) only five licenses and collected a total may well backfire: further strength-
to pass laws granting them rights simi- of 714,000 euros. ening the power of media conglom-
lar to those that Article 11 would man- Google also refused to pay license erates and of global platforms to the
date for all EU member states. These fees to contents of Spanish press pub- detriment of smaller players.” (By July
laws have met with much less success lishers. Instead it shut down its Span- 2018, another 69 IP academics joined
than their proponents had hoped. ish Google News service. Seemingly as this letter.)

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 21
viewpoints

Article 11 would, the Statement con-

cluded, impede the free flow of news
and other information vital to a demo- It remains unclear
cratic society, harm journalists who whether hyperlinking
often rely on search engines and aggre-
gators, and create uncertainty about its to press publisher
coverage and scope. contents will
It was also unclear how the new
publisher right would interact with ex- generally be lawful.
isting copyright laws, which typically
allow for fair quotations, and database
rights, which allow extractions of in-
substantial parts of databases.
The economic case for Article 11
was, moreover, weak. The press pub- however, still quite vague. Would it, for
lisher right would increase transaction instance, exempt a person or nonprofit
Advertise with ACM! costs considerably, as well as exacer- organization that regularly blogs with
bating existing power asymmetries in links to EU press publisher sites?
media markets. The Statement point- The Parliament-approved version
Reach the innovators ed to the ineffectiveness of the German also provided that “mere hyperlink-
and thought leaders and Spanish press publisher regimes ing accompanied by individual words”
as additional reasons not to create would not trigger liability. However, the
working at the such an EU-wide right. latest compromise text has retained
cutting edge The Max Planck Institute’s Center the Commission’s original version of
for Innovation and Competition also Article 11, which would extend liability
of computing published a Position Statement op- to hyperlinking if it constituted a com-
and information posed to Article 11.3 The European munication to the public.
Copyright Society’s response to the Because the communication right
technology through European Commission’s public con- in respect of hyperlinking is an ever-
ACM’s magazines, sultation on the role of publishers in evolving concept under some very
the copyright value chain raised sig- confusing CJEU decisions, it remains
websites nificant questions about the proposed unclear whether hyperlinking to
and newsletters. press publishers’ right.2 press publisher contents will gener-
The Bently et al. report noted that on- ally be lawful.
line journalists perceive the new right as Yet, the November 2018 compro-
◊◆◊◆◊ a threat to the nature of news commu- mise text would qualify the press
nication in the modern era: “Paying for publisher right by providing that
links is as absurd as paying for citations “uses of insubstantial parts of a press
Request a media kit in the academy would be.” That report publication” should not give rise to
with specifications cast doubt on the wisdom of adopting a liability. Moreover, member states
provision such as Article 11. could determine what parts of press
and pricing: publications are “insubstantial” by
Will Compromise Provisions “taking into account whether these
Ilia Rodriguez Overcome Opposition? parts are the expression of the intel-
To respond to concerns expressed by lectual creation of their authors, or
+1 212-626-0686 various critics, the European Parlia- whether these parts are individual
[email protected] ment in September 2018 approved words, or very short excerpts.” This
several amendments to Article 11. For qualification is better than nothing,
instance, it proposed creating an ex- but notice how vague is the concept
ception for individual users to make of “insubstantial” and what if mem-
“legitimate private and noncommer- ber states differ on how many words
cial uses” of press contents. are too many?
The compromise text made public Another qualification proposed in
in November 2018 contains a similar, a recital to the compromise text indi-
although differently worded, provi- cates the rights should not extend to
sion. It states that the press publisher “mere facts” reported in the press pub-
rights “shall not apply to uses of press lications. Again, this is better than no
publications carried out by individual such limitation, but it begs the ques-
users when they do not act as informa- tion of what “mere facts” includes and
tion society service providers.” This is, does not include.

22 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

The Parliament’s version of Article

11 would have cut the duration of the
license. Each member state will have
its own implementation of the DSM Calendar
proposed press publisher right to a
five-year term in contrast to the Com-
mission’s original proposal of 20 years
directive. Prospective licensees will
have to negotiate with every member
states’ preferred collecting society to
of Events
from publication. But when it comes clear all the rights necessary to make March 10–14
to news, even five years seems unduly digital uses of European journalistic CHIIR ‘19: Conference on
Human Information Interaction
long. The November 2018 compromise contents.
and Retrieval,
text would follow the German law in Even if Google and Facebook decide Glasgow, U.K.,
granting press publishers these rights to take licenses from European press Sponsored: ACM/SIG,
for only one year. publishers and can afford to negotiate Contact: Martin Halvey,
Email: martin.halvey@gmail.
Finally, the Parliament-approved all of the necessary licenses, isn’t there com
version of Article 11 proposed requir- a significant risk these licenses will fur-
ing press publishers to provide authors ther entrench them as dominant play- March 17–20
with a “proportionate” share of what- ers in global information markets? The IUI ‘19: 24th International
Conference on Intelligent
ever revenues the publishers collect new press publisher right would seem User Interfaces,
from licensees of the new right. This to impose significant transaction costs Los Angeles, CA,
might well reduce (perhaps by half) the as well as establish expensive licensing Co-Sponsored: ACM/SIG,
benefits to publishers from creation of fees for some individual bloggers, in- Contact: Wai-Tat Fu,
Email: [email protected]
this new IP right. Or it may instead lead novative startups, and small enterpris-
to much higher license fees to fund the es that may want to link to journalistic March 17–20
author-sharing. The November 2018 contents from European sites. TEI ‘19: 13th International
compromise text retains this proposal. While there is very little chance at Conference on Tangible,
Embedded, and
As well-meaning as the author- this point that Article 11 will be deleted Embodied Interaction,
sharing proposal may be, it underes- from the DSM Directive, some further Tempe, AZ,
timates how substantial will be the compromises may be negotiated by Sponsored: ACM/SIG,
Contact: Stacey Kuznetsov,
costs necessary to obtain sufficient those responsible for finalizing its text Email: [email protected]
information to determine which au- so that freedom of information and ex-
thors are entitled to get what part of pression are not unduly repressed by March 21–22
each press publisher’s revenues. adoption of this unfortunately ambigu- TAU ‘19: ACM International
Workshop on Timing Issues in
ous new IP right. the Specification and Synthesis
Conclusion A closed-door “trilogue” is under of Digital Systems,
A key assumption underlying the pro- way among representatives of the Eu- Monterey, CA,
posed DSM Directive, including Article ropean Commission, the Council, and Sponsored: ACM/SIG,
Contact: Song Chen,
11, is that strengthening European the Parliament, each of which has sup- Email: [email protected]
IP rights will lead to much greater li- ported a different version of Article 11.
censing revenues flowing to European The November 2018 compromise text March 25–27
rights holders from (mostly) American will likely not be the last word. Other CODASPY ‘19: 9th ACM
Conference on Data
technology companies. (See my No- nations should, however, be wary of and Application Security
vember 2018 column discussing the following the EU’s lead on this particu- and Privacy,
even more controversial Article 13 of lar initiative. Richardson, TX,
Sponsored: ACM/SIG,
this Directive.) Contact: M.B. Thuraisingham,
European press publishers have lob- References
Email: bhavani.
1. Bently, L. et al. Strengthening the Position of Press
bied heavily for this new right and seem Publishers and Authors and Performers in the [email protected]
on the verge of getting a significant boost Copyright Directive: A Study Commissioned by the
European Parliament (2017); https://bit.ly/2wL9ZhQ March 25–28
in leverage this right will give them to 2. Kretschmer, M. et al. The European Commission’s
EuroSys ‘19: 14th EuroSys
negotiate for new revenue streams from Public Consultation on the Role of Publishers in the
Copyright Value Chain: A Response by the European Conference 2019,
search engines and news aggregators. Copyright Society, European Intellectual Property Dresden, Germany,
The German and Spanish experiences Review (E.I.P.R.) 38, 10 (Oct. 2016), 591–595; https:// Sponsored: ACM/SIG,
bit.ly/2LuOHgH. Contact: Christof Fetzer,
thus far cast doubt on the prospects for 3. Max Planck Institute for Innovation and Competition.
Email: [email protected]
Position Statement on Proposed Modernisation of
significant successes. Whether an EU- European Copyright Rules, Part E Protection of Press
wide right will achieve better results Publications Concerning Digital Uses; https://bit. April
ly/2EHa6mb
remains to be seen. Maybe Google and 4. Ricolfi, M., Xalabarder, R., and van Eechoud, M.
Facebook will pay up, but maybe not. Academics Against Press Publishers’ Right, Statement April 3–4
from 169 EU Academics, 2018; https://bit.ly/2r3a1QD. SOSR ‘19: Symposium
There is, of course, some irony in on SDN Research,
the EU’s prospective adoption of a San Jose, CA,
Pamela Samuelson ([email protected]) is
Directive aimed at promoting a “digi- Sponsored: ACM/SIG,
the Richard M. Sherman Distinguished Professor of Law
Contact: Eric Rozner,
tal single market” given that no one and Information at the University of California, Berkeley,
Email: [email protected]
and a member of the ACM Council.
licensing entity exists from which
technology firms can get an EU-wide Copyright held by author.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 23
V
viewpoints

DOI:10.1145/3306615 Ofir Turel

• Marshall Van Alstyne, Column Editor

Economic and
Business Dimensions
Potential ‘Dark Sides’
of Leisure Technology
Use in Youth
Time for balanced reflections on technology.

C
O M P U T I N G TE CH N OLOGY H AS
produced many societal
benefits. Nevertheless, it of-
ten serves as a double-edged
sword and promotes nega-
tive consequences, such as distraction,
addiction, time waste, and reduced
well-being.10 This is perhaps not sur-
prising given that “When you invent
the ship, you also invent the shipwreck
... Every technology carries its own neg-
ativity, which is invented at the same
time as technical progress.”11 Indeed,
many computing technologies follow
this pattern, exhibiting a duality of
“bright” and “dark” effects on people,
firms, and societies.3,4 The problem is
that the understanding of downsides
of technology sometimes lags our un-
derstanding of upsides. We, especial-
ly technology enthusiasts, are often
enchanted by the abundant positive
things new technologies can do, and
this dilutes our ability to develop reli-
able judgments regarding the harms
new technologies can cause.7
While studies of both positive5 given the lack of regulation of tech- of computing technologies is largely
and negative9 technology effects on nology use and the limited awareness unregulated and many parents and
children and youth exist, trends in to possible technology use harms. By children may not be aware of the
IMAGE BY MIKE SH OTS

technology use among youth and contrast with other harmful materi- extent of harm that may be associ-
their possible adverse associations als and behaviors (for example, using ated with excessive use of technol-
are less well explored. It is important illicit substances, consuming junk ogy. Hence, analyzing such trends can
to examine and discuss such trends food, not wearing seatbelts), the use serve as a springboard for initiating a

24 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

healthy discussion in our discipline 1 parallel a decline in the frequency of Moreover, in many cases young video
regarding possible “dark side” effects important healthy lifestyle activities, gamers deceive their parents and play
of computing technologies on youth, including eating breakfast, exercising, late at night or early in the morning,1
and more broadly speaking, develop- and getting sufficient sleep. Again, which can explain reduction in break-
ing a more balanced discussion re- this might be explained via the zero- fast frequency.
garding the effects of technologies sum-game argument; the use of allur- Figure 3 shows a decline in face-
on societies. Increasing awareness to ing technologies might have cannibal- to-face social activities in youth that
such issues and sparking this discus- ized from healthy lifestyle activities. parallels the increase in the use of lei-
sion are needed steps before we mo- For instance, video gaming can con- sure technologies. Circa 2016, youth
bilize resources and develop and test sume people’s time and prevent physi- attended social functions, met friends,
solutions for possible largely unex- cal activity; it can also reduce sleep via and went on dates less frequently com-
pected negative effects of technology the blue light emitted from screens.8 pared to 2012 youth. Technology can
use on youth.
Here, I seek to shed light on tech- Figure 1. Trends in time spent on leisure computing vs. school work in youth.
nology use trends in youth and ex-
amine their parallels with a range Daily Hours of Homework Daily Hours of Computer Use
of adverse outcomes in the school, for School Work
social, well-being, and health do- Daily Hours of Internet Use
Error bars: 95% CI
mains. To achieve this objective, I Not for School
analyze a large dataset (n=152,172)
of survey responses by youth, ap- 1.70
proximately 13–16 years old, across
the U.S. This data is drawn from an 1.50

annual (2012–2016) survey adminis-

tered to hundreds of schools.2 1.20
Hours/Day

1.00
Results 0.92
0.73
Figures 1–4 portray, correspondingly,
trends in: time (hours/day) spent on 0.66
leisure vs. for school computing and 0.50
work; healthy lifestyle activities; so- 0.41
cial activities; and well-being and self-
worth. Error bars represent 95% confi-
2012 2013 2014 2015 2016
dence intervals. Year
Figure 1 demonstrates an increase
in the use of computing technolo-
gies, both for leisure and for school
purposes. However, the average in- Figure 2. Trends in healthy lifestyle activities in youth.
crease in technology use for leisure
(30 minutes/day) is twice as much (1) Never (4) Most Days How Often Eat Breakfast How Often Exercise
as the average increase in the use of (2) Seldom (5) Nearly Every Day
(3) Sometimes (6) Everyday
technology for school assignments Error bars: 95% CI
How Often Get At Least
7 Hours of Sleep/Night
(15 minutes/day). Given the zero-
sum-game of a student’s after-school
time, one possibility is the use of
technologies for leisure purposes is 4.4
4.38
alluring and consequently cannibal-
izes from schoolwork time (average 4.30
4.3
reduction of 11.4 minutes/day be-
Frequency

tween 2012 and 2016). Another pos-

4.22
sibility is the changes in the use of 4.2
4.18
technology for schoolwork increases
efficiency in homework tasks; but
4.1
the nature of such potential efficien- 4.07
4.02
cies (for example, increased ease of
finding explanations vs. increased 4.0
ease of finding an online solution to 2012 2013 2014 2015 2016
copy) is unclear. Year
Figure 2 shows the changes in tech-
nology use patterns described in Figure

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 25
viewpoints

serve as one explanation for this de- users are exposed to a larger compari- adults,4,7,10 the sometimes excessive
cline as it can isolate youth, build on- son set. If a child is comparing him- or use of leisure technologies in youth
line socialization habits, and reduce herself to the top people of an ever-ex- can adversely affect school, social,
youth’s motivation and ability to inter- panding set, then it is conceivable that health and well-being facets. While
act face-to-face.10,12 he or she might experience a growing I could not calculate all correlation
Lastly, Figure 4 demonstrates a inferiority complex. given the nature of the dataset, exist-
general decline in well-being and self- The parallels between these groups ing correlations provide some support
worth perceptions that parallels the of trends can of course be a coinci- for these claims. The hours/day of use
increase in leisure technology use. dence. However, it is also possible of the Internet for leisure purposes
This can be explained via the increase that, as per the many studies indi- was significantly negatively correlated
in use of social media, where everyone cating possible negative effects of with the frequency of meeting friends
else’s life seems perfect. Social media technologies on adults and young informally, face-to-face (r = -0.025),
and with attending social functions
Figure 3. Trends in social activities in youth. (r=-0.010). Thus, it can be viewed as a
correlate of reduction in face-to-face
How Often Get Together How Often Go to Parties social activities. The use of leisure
With Friends Informally or Other Social Affairs technologies was also positively cor-
Error bars: 95% CI How Often Go Out related with the use of technology for
with A Date school work (r=0.198). Thus, it is pos-
4.2 sible that encouraging youth to use
4.00 technology for school work backfires,
3.81 as the mere presence of a computer
3.7
(1) Never may allure them to spend more leisure
(2) Few Times/Year
(3) 1–2 Times/Month
time on the Internet. Note the relative-
3.2 (4) Once a week ly small correlations imply the use of
Frequency

(5) Almost Daily

2.92 technology for leisure purposes may
2.7
2.74 not be the only or prime cause for ad-
verse outcomes in the social domain,
but it may be viewed as a potentially
2.2 (1) Never
2.09 (2) Once/Month or less contributing factor for such issues.
(3) 2–3 Times/Month
1.76 (4) Once a week
1.7 (5) 2–3 Times/Week Time for Balanced Reflections
(6) 3+ Times/Week
2012 2013 2014 2015 2016 on Technology
Year For many years we have emphasized
the positive aspects of computing
technologies because we believed in
their contribution to humanity. Nev-
Figure 4. Trends in well-being and self-worth in youth. ertheless, there is a growing body of
evidence in support of a technology
(1) Disagree duality view. That is to say, we have
(2) Mostly Disagree I Take A Positive Attitude It Feels Good
(3) Neither Agree nor Disagree Toward Myself to Be Alive
started realizing and quantifying the
(4) Mostly Agree notion that many of the technologies
(5) Agree Error bars: 95% CI I Am Able to Do Things as
Well as Most Other People we develop can also be harmful, es-
pecially when used excessively. While
adults can typically understand and
deal with such issues, for example,
4.41
4.4 through self-regulation of leisure
technology use during work hours,
Level of Agreement

youth often cannot do so as effectively.

4.2
4.22 This difference stems from the idea
4.16 that their brains are still developing,
and the parts of the brain that drive re-
4.04
4.0
warding behaviors develop faster than
3.97 their brain regions that are involved in
3.87
self-control.6 It is hence our responsi-
bility to better inform them, their fam-
3.8
ilies, and their educators regarding
2012 2013 2014 2015 2016 possible risks that may be associated
Year
with improper and excessive use of
leisure computing technologies. We

26 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

for possible overconsumption, in this

Coming Next Month in COMMUNICATIONS

case, lies with parents, educators, and
Many of the children. Adapting this view, we could
technologies argue for increasing awareness regard-
ing leisure technology use risks and at
we develop can the same time ask the developers of
also be harmful, such technologies to either voluntari-
ly or through government regulation
especially when provide people with the means to track
used excessively. use and to have more usage control
and self-monitoring. This is, for exam-
ple, exactly what Apple has done with
iOS 12. Still, we cannot solely count on
tech providers; the responsibility to in-
form our children regarding such risks
should also consider whether the lei- and to teach them to live responsibly
sure computing technologies we de- with technology is likely still ours. As A Special Special on
velop should allow users to: easily self- a discipline, we certainly must start
track own activity; inform young users developing a balanced discussion that the Europe Region
and parents when dangerous levels of acknowledges both possible positive
activity are reached; and restrict/block and negative effects of technology on Understanding Trends
activities by request. children and young adults. in the Use of Various
It is informative to reflect on par- Analytics Applications
References
allels between our industry (the tech- 1. Bruner, O. and Bruner, K. Playstation Nation: Protect
sector) and other industries that re- Your Child from Video Game Addiction. Hachette Book
for Managerial Work
Group, NY, 2006.
vealed “dark sides” after a period of 2. Johnston, L.D. et al. Monitoring the Future: A
focusing almost solely on positive Continuing Study of American Youth (8th- and Cyber Security in
10th-Grade Surveys), 2015. Research, I.f.S. Ed.,
aspects of their products. Two in- Inter-university Consortium for Political and Social the Quantum Era
dustries that come to mind are the Research (ICPSR), Ann Arbor, MI, 2016.
3. Malhotra, A. and Van Alstyne, M. The dark side of the
tobacco and food industries. The to- sharing economy ... and how to lighten it. Commun.
Neural Algorithms
bacco industry sold its products and ACM 57, 11 (Nov. 2014), 24–27.

emphasized their positive effects

4. Tarafdar, M. et al. The dark side of information
technology. MIT Sloan Management Review 56, 2
and Computing
(for example, increased concentra- (Winter 2015), 600–623. Beyond Moore’s Law
5. Turel, O. and Bechara, A. Little video-gaming
tion) while hiding its negative ef- in adolescents can be protective, but too much
fects. Court rulings have forced it to is associated with increased substance use.
Substance Use and Misuse. (Jan. 2019); DOI: Metrics that Matter
pay restitution, and regulations have 10.1080/10826084.2018.1496455
6. Turel, O. et al. An examination of neural systems sub-
forced it to restrict the use of tobacco serving Facebook “addiction.” Psychological Reports
products to adults, and to advertise 115, 3 (Mar. 2014), 675–695.
Identity By
the risks associated with its use. Con- 7. Turel, O. and Qahri-Saremi, H. Problematic use of
social networking sites: Antecedents and consequence
Any Other Name
sequently, there has been a constant from a dual system theory perspective. Journal of
Management Information Systems 33, 4 (Apr. 2016),
decline in tobacco consumption in 1087–1116. Reseach for Practice:
Western countries. 8. Turel, O., Romashkin, A., and Morrison, K.M. Health
outcomes of information system use lifestyles among Edge Computing
Perhaps this is an extreme parallel, adolescents: Videogame addiction, sleep curtailment
because one can argue that people can and cardio-metabolic deficiencies. PLoS One 11, 5

live without tobacco, but technology

(May 2016), e0154764.
9. Turel, O., Romashkin, A., and Morrison, K.M. A model
The Web Is Missing
is essential to functioning in modern linking video gaming, sleep quality, sweet drinks an Essential Part
consumption and obesity among children and youth.
society. If so, consider the food indus- Clinical Obesity 7, 4 (Apr. 2017), 191–198.
try parallel. On an evolutionary time- 10. Turel, O. and Serenko, A. The benefits and dangers of
enjoyment with social networking websites. European Fully Device-
scale, food was scarce so people devel- Journal of Information Systems 21, 5 (May 2012),
oped innate preference for fatty and 512–528. Independent Quantum
11. Virilio, P. and Petit, P. Politics of the Very Worst.
sugary foods. Modern ability to satiate Semiotext(e), NY, 1999. Key Distribution
12. Xu, Z.C., Turel, O. and Yuan, Y.F. Online game addiction
these needs has improved and com- among adolescents: Motivation and prevention factors.
panies have created many such foods European Journal of Information Systems 21, 3 (Mar.
2012), 321–340.
to the point where unhealthy food is
abundant and obesity became an epi-
Ofir Turel ([email protected]) is a professor of
demic. Governments regulate food by Information Systems and Decision Sciences at California
Plus the latest news about
enforcing food labeling as a means to State University, Fullerton, and a scholar in residence
non-standard robot designs,
at the decision neuroscience lab at the University of
inform consumers. Simultaneously, Southern California; http://oturel1.wixsite.com/ofirturel the future of data storage,
awareness regarding proper nutri- and employee monitoring.
tion has increased. The responsibility Copyright held by author.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 27
V
viewpoints

DOI:10.1145/3306614 Peter J. Denning

The Profession of IT
An Interview with
William Hugh Murray
A discussion of the rapidly evolving realm of practical cyber security.

W
ILLIAM HUGH (BILL) to guess. You declared that the root
is a manage-
M U R R AY cause of this is the reusability of pass-
ment consultant and words. You proposed that we use tech-
trainer in Information nologies where a password can be used
Assurance specializ- only once. How does this work and why
ing in policy, governance, and applica- is it now feasible?
tions. He has more than 60 years expe- A: This is not simply about “weak
rience in information technology and passwords” but all passwords. It is
more than 50 years in security. During time to abandon passwords for all but
more than 25 years with IBM his man- trivial applications. Passwords are
agement responsibilities included de- fundamentally vulnerable to fraudu-
velopment of access control programs, lent reuse. They put the user at risk of
advising IBM customers on security, fraudulent use of identity, capabilities,
and the articulation of the IBM secu- and privileges and the system or ap-
rity product plan. He is the author of plication at risk of compromise and
the IBM publication Information Sys- contamination by illicit users. Strong
tem Security Controls and Procedures. passwords protect against brute force
He has been recognized as a founder attacks but these are not the attacks
of the systems audit field and by Infor- that we are seeing.
mation Security Magazine as a Pioneer We need “strong authentication,”
in Computer Security. He has served defined as at least two kinds of evi-
as adjunct faculty at the Naval Post- vulnerabilities arise from poor prac- dence of identity, one resistant to brute
graduate School and Idaho State Uni- tice, not from inadequate technology. force attacks and the other resistant to
versity. In 1999, he was elected a Dis- Many people today are concerned replay, that is, includes a one-time val-
tinguished Fellow of the Information about cybersecurity and want to ue. All strong authentication is “multi-
System Security Association. In 2007, know how to protect themselves factor” but not all multi-factor is
he received the Harold F. Tipton Award from malware, identity thieves, in- strong. Strong authentication protects
in recognition of his lifetime achieve- vading hackers, botnets, phishers, us against both brute force attacks and
ment and contribution. In 2016, he and more. I talked to Bill about what the fraudulent reuse of compromised
was inducted into the National Cyber practices we have to deal with these credentials, for example from so called
Security Hall of Fame. In 2018, he was issues, and where we need to look for “phishing” attacks, the attacks that we
elected a Fellow of (ISC)2—see https:// new practices. are actually seeing.
www.isc2.org/). Steve Jobs and the ubiquitous mo-
Bill Murray has been responding for Q: Weak passwords have been the bane bile computer have lowered the cost
IMAGE COURTESY OF ( ISC) 2 BLOG

years to security threats with noncon- of security experts for years. Early stud- and improved the convenience of
ventional thinking. When he sees a se- ies of time-sharing systems showed strong authentication enough to over-
curity breakdown, he asks what is the that in a community of 100 users, two come all arguments against it.
current practice that allows the break- or three are likely to use their own
down to happen, and what new prac- names as passwords. A hacker can Q: The Internet is seen as a flat network
tice would stop it? Most of our security break in easily if passwords are so easy where any node can communicate with

28 COMMUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

any other. One of the fundamental Oh, I almost forgot. We must moni-
ideas baked into the Internet protocols tor traffic flows. Malware generates
is anonymity. This presents immense The most anomalous and unexpected traffic.
problems for local networks that want efficient measures Automated logging and monitoring of
to be secure because they cannot eas- the origin and destination of all traffic
ily validate whether requested connec- are those that operate moves from ”nice to do” to ”must do.”
tions are from authorized members. early, preventing While effective logging generates large
What technologies are available to de- quantities of data, there is software to
fine secure subnets, abandoning the the malware help in the efficient organization and
idea of flatness and anonymity? from being installed analysis of this data.
A: The Internet is flat in the sense
that the cost and time of communica- and executed in Q: Early in the development of operat-
tion between two points approximates the first place. ing systems we looked for solutions to
that of any two points chosen at ran- the problem of running untrusted soft-
dom. Enterprise networks are often, ware on our computers. The principle
not to say usually, designed and in- of confinement was very important.
tended to be as flat as possible. The idea was to execute the program in
It is time to abandon the flat net- a restricted memory where it could not
work. Flat networks lower the cost of tion of people who can do harm. Our access any data other than that which
attack against a network of systems or current strategies of convenience over it asked for and which you approved.
applications—successfully attacking security and “ship low-quality early and The basic von Neumann architecture
a single node gains access to the net- patch late” are proving to be not just did not have anything built in that
work. Secure and trusted communica- ineffective and inefficient, but danger- would allow confinement. The modern
tion must now trump ease of any-to- ous. They are more expensive in main- operating systems like iOS or Android
any communication. tenance and breaches than we could include confinement functions called
It is time for end-to-end encryptions ever have imagined. “sandboxes” to protect users from un-
for all applications. Think TLS, VPNs, trusted software downloaded from the
VLANs and physically segmented net- Q: What about malware? When it gets Internet. Is this a productive direction
works. Encrypted pathways must reach on your computer it can do all sorts of for OS designers and chip makers?
all the way to applications or services harm such as stealing your personal A: The brilliance of the von Neu-
and not stop at network perimeters or data or in the worst case ransomware. mann architecture was that it used the
operating systems. Software Defined What effective defenses are there same storage for both procedures and
Networks put this within the budget of against these attacks? data. While this was convenient and
most enterprises. A: The most efficient measures are efficient, it is at the root of many of
those that operate early, preventing the our current security problems. It per-
Q: Most file systems use the old Unix malware from being installed and ex- mits procedures to be contaminated
convention of regulating access by the ecuted in the first place. This includes by their data and by other procedures,
read-write-execute bits. Why is this a familiar antivirus programs as well notably malware. Moreover, in a world
security problem and what would be a as the restrictive access control rules in which one can put two terabytes of
better practice for controlling access? mentioned earlier. It may include ex- storage in one’s pocket for less than
A: It is not so much a question of the plicitly permitting only intended code $100, the problem that von Neumann
controls provided by the file system but to run (so-called “white listing”). It will set out to solve—efficiently using stor-
the permissive default policy chosen by include process-to-process isolation, age—no longer exists.
management. It is a problem because which prevents malicious code from In the modern world of ubiquitous
it makes us vulnerable to data leak- spreading; isolation can be imple- and sensitive applications running in
age, system compromise, extortion, mented at the operating system layer, a single environment, with organized
ransomware, and sabotage. It places as in for example, Apple’s iOS, or fail- criminals and hostile nation-states,
convenience and openness ahead of ing that, by running the untrusted pro- convenience and efficiency can no lon-
security and accountability. It reduces cesses in separate hardware boxes. We ger be allowed to trump security. It is
the cost of attack to that of duping an should not be running vulnerable ap- time to at least consider abandoning
otherwise unprivileged user into click- plications such as email and browsing the open and flexible von Neumann Ar-
ing on a bait object. on porous operating systems, such as chitecture for closed application-only
It is time to abandon this convenient Windows and Linux, along with sensi- operating environments, like Apple’s
but dangerously permissive default ac- tive enterprise applications. iOS or the IBM iSeries, with strongly
cess control rule of in favor of the more However, since prevention will nev- typed objects and APIs, process-to-pro-
restrictive “read/execute-only” or even er be much more than 80% effective, cess isolation, and a trusted comput-
better, “Least privilege.” These rules we should also be monitoring for indi- ing base (TCB) protected from other
are more expensive to administer but cators of compromise, the evidence of processes. These changes must be
they are more effective; they raise the its presence that any code, malicious or made in the architecture and operating
cost of attack and shrink the popula- otherwise, must leave. systems. There is nothing the iOS user

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 29
viewpoints

can do from the user interface that will To reduce this threat, start with
make a persistent change to the integ- strong authentication for the use of
rity of the software. There is little the Outsiders may any privileged capabilities. Imple-
developers of programs can do that will damage the brand but ment multiparty controls over these
nullify defects in the operating system capabilities. Improve accountability
or other programs. insiders may bring by ensuring privilege is available to
It is ironic that one can get a so- down the business. only one user at a time, only when
called “computer science” degree with- needed. Keep a record of all grants
out even being aware of alternatives to and uses of privilege.
the von Neumann architecture.
Q: You clearly have strong opinions
Q: There have been many attempts about how to secure our computer sys-
at intrusion detection in operating A: Courtney’s Third Law taught us tems and networks. You place a great
systems. Is it possible to identify that “there are management solutions to deal of weight on past security prac-
someone appearing to be an autho- technical problems but there are no tices. Are these not obsolete? Don’t we
rized user is actually someone else? technical solutions to management need the results of modern security re-
A: There are recognizable differ- problems.” Substitute “human” for search more than ever?
ences in the behavior of authorized “management” and the statement re- A: I plead guilty to having strong
users and impersonators. The simple mains true. opinions and I beg for tolerance. I
measure of identifying repeated failed Masquerading and fraud attacks would like to defend my respect for
attempts to do something can reveal appeal to the Seven Deadly Sins and to past practices. Believe it or not, design-
intruders. More complex measures gullibility, fear, curiosity, and even the ers of operating systems have made
exploiting advances in artificial intel- mere desire to be helpful. Fraud and security and protection a high priority
ligence can detect more subtle differ- deceit—what the roque hackers call since the 1960s. Their research and ex-
ences. We must tune these measures “social engineering”—are as old as lan- perience with real systems proves that
to balance false positives against the guage. They have exploited every com- many of the methods they discovered
failure to detect. We must also en- munication medium ever used. work. It astounds me that we would
sure the alarms and alerts get to the However, in the modern world, downplay those older successes in fa-
responsible managers, usually the these appeals are mostly used to get us vor of unproven research.
manager of the user and the owner to compromise our credentials or the What has changed over those years
of the asset, who are in a position to integrity of our systems. We can cau- is not the need for security, but the
recognize the need for, and have the tion and train our users but experi- risks and costs of insecurity. It should
authority and resources, to take any ence suggests the best of these efforts be clear to a casual reader of the news,
indicated corrective action. will not be sufficient. We must also let alone those with access to intelli-
use the measures recommended here gence sources, that what we are doing
Q: When OSs started to span networks, to limit the consequences of the inevi- is not working. It is both costly and
traffic analysis of packets became an table errors. dangerous.
ingredient of a signature of computer While these recommendations may
use. Is this a valuable approach today? Q: What about insider attacks? represent a change in the way we are do-
A: It’s tough but not hopeless. A: Threats have both source and ing things, we know they work. There is
While we may never be sure that all rate. Insiders have a low rate but high little new in them. Most of these ideas
nodes in the public networks properly consequences. Outsiders may damage are as old as computing and some we
identify themselves, cryptography the brand but insiders may bring down inherited from more primitive informa-
can improve the trust that we have the business. tion technology. Most of the resistance
as to the source of traffic. While we There are risks with privileged us- to using these practices comes from
may never solve the problem of com- ers and escalation of privileges. Ed- loss of convenience. Good security is
promised systems being used as “cut- ward Snowden was able to expand his not convenient. But it is absolutely nec-
outs” to hide the identity and location privileges in an organization with “se- essary for the security of our assets and
of the sources of attack traffic, by stor- curity” in its name. He did this over the reliability of the many critical sys-
ing more meta data about the sources an extended period of time without tems on which we all depend. We need
and destination of traffic, we can im- being detected. not suffer from the scourge of systems
prove the effectiveness and efficiency Pervasively we have too many over that so easily succumb to invaders.
of forensics. privileged users, with too little ac-
countability. Indeed privileged users Peter J. Denning ([email protected]) is Distinguished
Professor of Computer Science and Director of the
Q: Another common attack method is are among the most likely to share IDs Cebrowski Institute for information innovation at the
phishing: email or voicemail messages and passwords. There is no account- Naval Postgraduate School in Monterey, CA, is Editor of
ACM Ubiquity, and is a past president of ACM. The author’s
that appear legitimate and entice you ability if something goes wrong. Often views expressed here are not necessarily those of his
into revealing your personal informa- the privileges are so great and account- employer or the U.S. federal government.

tion. Are there any practical ways to de- ability so poor that the privileges, once
fend against phishing. granted, cannot be reliably withdrawn. Copyright held by author.

30 COMM UNICATIO NS O F THE AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 V
viewpoints

DOI:10.1145/3306617 Sepehr Vakil and Jennifer Higgs

• Mark Guzdial, Column Editor

Education
It’s About Power
A call to rethink ethics and equity in computing education.

T
HIS COLUMN AIMS to build on
and extend the field’s under-
standings of the nature of
ethics and equity in comput-
ing. Specifically, we argue that
issues related to systems of power,
which are often absent from conversa-
tions around ethics in computing, must be
brought to the foreground in K–16 com-
puting education. To this end, we argue for
a justice-centered pedagogy5 that centers
power by explicitly acknowledging the
ethical and political dimensions of com-
putation and builds learning conditions so
that everyone—including, but not limited
to, students on computer science (CS) or
engineering pathways—can understand,
analyze, critique, and reimagine the tech-
nologies that shape everyday lives.
A power-conscious approach to eth-
ics in computing highlights the socio- ˲˲ We must center power in discus- well-intentioned conversations has
political and sociocultural contexts in sions of ethics in computing, by which been a robust consideration of equity in
which technologies are developed and we mean explicitly attending to how CS as it pertains to issues of ethics and
deployed. To respond to the highly com- computing systems intersect with power. In particular, the ways in which
plex sociotechnical problems of the 21st structures of inequality and hierarchy computational tools and technologies
century and beyond, future computer in society; and have multiple, complex, and profound
scientists and engineers need educa- ˲˲ We must view engagement with implications for the lived experiences of
tional opportunities that prepare them the sociopolitical and ethical dimen- nondominant communities have been
to understand and care about the far- sions of computing as a core prac- largely ignored (for example, how ma-
reaching ethical and sociopolitical im- tice made available to all students, chine learning is changing law enforce-
plications of new technologies. Yet, we whether or not they are on CS or engi- ment practices in communities of color,
must also fundamentally rethink who neering pathways. how automation technologies are re-
computing education is for. Serious ef- shaping welfare eligibility,1 or how com-
forts should be made at the K–12 and Equity Is More than Inclusion mercial search engines reinforce racist
undergraduate levels to make the knowl- In recent years, the role of equity in CS and sexist bias).4 Leaving these power
edge, skills, and tools to critically exam- education has increasingly become a imbalances unexamined precludes
IMAGE F RO M SH UTT ERSTOCK.CO M

ine the relationships between power, topic of discussion. Much of this dia- deep engagement with issues of equity.
ethics, and technology available to all. logue has centered around the creation In our view, because these complicated
Given rapidly evolving innovations and of inclusive learning environments in interactions of technologies and society
contexts of computing, we argue for two computing, particularly with regard to shape how nondominant groups experi-
changes in our approach to ethics and marginalized students and their com- ence and negotiate daily life and broad-
equity in K–16 computing education: munities.3 Yet, often missing from these er social systems, substantive discus-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 31
viewpoints

sions of equity in CS must intentionally Is she acting ethically? Or we might ask:

include dynamics of power and ethics. How do broader ethical and ideological
values guide innovation in companies
A Reframing of Ethics in Computing like the one this engineer works for?
While there have been a number of im- Does the current and emerging land-
portant calls and initiatives to integrate scape of new technologies (and the in-
ethics into computing education, the stitutions and industries creating these
ACM
ACM Conference
Conference tendency has been to ignore how ethics technologies) collectively contribute to
are situated within larger political and a more just and ethical society? Center-
Proceedings
Proceedings ideological contexts. As a result, discus- ing power in discussions of ethics does
Now
Now Available via
Available via sions of ethics are primarily framed as
a matter of personal choice and respon-
not mean answers to these questions are
provided for students, but it does mean
Print-on-Demand!
Print-on-Demand! sibility. For example, the current ACM opportunities are intentionally created
Code of Ethics and Professional Con- for students to discuss, debate, and ana-
duct notes principles such as “Be honest lyze what others have called the “macro-
Did you know that you can and trustworthy” and “Know and respect ethics” of technological systems.2
now order many popular existing rules pertaining to professional
work.” We have no bone to pick with uni- A Focus on Decoding Power
ACM conference proceedings versally accepted traits such as honesty A focus on power entails providing op-
via print-on-demand? and respect, but we contend that orga- portunities for students to decode how
nizing discussions of ethics around the computational systems, which we de-
good or bad decisions/values of individu- fine as coordinated networks of digital
Institutions, libraries and al actors obscures more complex interac- tools and devices (for example, the In-
individuals can choose tions between ethics and technology. ternet, blockchain technology, surveil-
Moreover, an honest assessment of lance systems), intersect and are inter-
from more than 100 titles ethical behavior (for individuals as well twined with sociopolitical systems (for
on a continually updated as systems) must include analysis of example, racism, neoliberalism, mili-
list through Amazon, Barnes how people’s behaviors contribute to, tarism, the U.S. immigration system).
resist, or otherwise intersect with struc- Decoding requires careful study of
& Noble, Baker & Taylor, tures of inequality and hierarchy in soci- these different systems and the ways in
Ingram and NACSCORP: ety. For example, say an engineer works which they interact. An unprecedented
CHI, KDD, Multimedia, at a firm where she is instructed to write level of public debate recently has un-
code that programs handheld helmet- derscored the urgency of attending to
SIGIR, SIGCOMM, SIGCSE, mounted imaging systems designed for these intersections in discussions of
SIGMOD/PODS, the military. The engineer does her job ethics and computing. How does racial
and many more. faithfully as an honest, hard-working bias shape artificial intelligence (AI) al-
employee. Her code is elegant, original, gorithms? How do theoretical advances
and well documented. Yet, by helping in cryptography lay the foundation for
For available titles and to produce this slick and sophisticated mass surveillance? Why are engineers
technology, she also contributes to the at Google and Microsoft raising con-
ordering info, visit: project of militarism around the world. cerns about their companies’ entangle-
librarians.acm.org/pod ments with the Pentagon and Immigra-
tion and Customs Enforcement (ICE)?
Organizing Addressing these highly complex ques-
tions requires a deeper understanding
discussions of ethics of how these technological systems
around the good interact with sociopolitical systems.
For example, exploring racial bias in
or bad decisions/ AI algorithms demands an understand-
values of individual ing of visual cognition systems and sys-
tems of race and hierarchy. Developing
actors obscures more a moral stance on war-related technolo-
complex interactions gies, and evaluating those of others,
requires understanding not just how
between ethics technologies may be used for unethi-
and technology. cal purposes, but also how the politics
of war and empire shape the technolo-
gies that are developed in the first place.
These are fraught intersections, where
ethical dilemmas arise and thrive; where

32 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

technology and society collide to simul- warded a view of ethics rooted in the
taneously create challenges and oppor- fundamental relationships between
tunities for education and social action. There are encouraging science and power. Especially in his
cross-disciplinary later writings, he urged the field to take
A Critical Practice for Democracy seriously the ways machines may alter
and Civic Engagement developments on society in ways that would challenge
Focusing on power in discussions of the horizon the field the very meaning of human life.6 More
computing and ethics foregrounds jus- recently, Jeannette Wing’s contention
tice and equity, and is thus a critical should support and that computational thinking is “a uni-
practice that can benefit all members continue to foster. versally applicable attitude and skill
of society. Democratic societies are set [that] everyone, not just computer
shaped, filtered, enhanced, and circum- scientists” can learn and use7 helped
scribed by computing technologies and spark an enduring debate about com-
the algorithms driving them, yet these putation’s transdisciplinarity and its
interactions between society and tech- untapped potential to inspire new
nology are often difficult to discern. Full Computer Science and the Learning ways of seeing the world. We see much
social and political participation hinges Sciences, and the new interdisciplinary value in these early formulations, par-
on the ability to perceive and interro- College of Computing at MIT). The digi- ticularly with regard to their emphasis
gate these interactions. Today’s and to- tal social sciences and humanities have on the power of computing to transform
morrow’s civically engaged actors must started to examine the intersections of society. Highlighting power as a con-
have access to technology and oppor- computational tools and methods in ceptual and pedagogical approach lo-
tunities to develop technical skills, but fields such as history, literature, film cates learning about computing within
they must also possess the knowledge, studies, political science, philosophy, a justice frame that both complements
conceptual frameworks, and vocabular- and sociology. Liberal arts colleges are and challenges previously articulated
ies to make sense of, vote, protest, de- beginning to introduce technology re- visions for computing education.
sign, and advocate for socially desirable quirements and offer specializations in Robust understandings of power,
configurations between society and areas such as artificial intelligence and ethics, equity, technologies, and soci-
technology. Centering power in con- data science. Much of this work aims to ety—as called for in this column—are
siderations of ethics prepares people unite computational and humanistic key for the design of future tools and
to foreground how various forms of in- questions in novel ways and inspire new artifacts rooted in deep notions of the
justice may be disputed or reproduced ways of seeing and thinking about com- public good and social welfare. Future
when considering interactions between putation and its place in our society and generations must possess the ability to
technology and society. lives. In middle and secondary comput- critically analyze the affordances and
er science education, however, ethical constraints of technological advance-
A Commitment to Traversing and political dimensions of computing ment, as well as the moral imagination
Disciplinary Boundaries tend to be sidelined, including within and technical skill to create with com-
Engaging the ethics and politics of com- introductory courses such as Exploring passion and ethical integrity.
puting demands an unprecedented and Computer Science (ECS) or CS Princi-
vigorous transdisciplinary dialogue ples.5 A pedagogical focus on power and References
1. Eubanks, V. Automating Inequality: How High-Tech
between CS and the social sciences ethics in K–12 CS education has the ex- Tools Profile, Police, and Punish the Poor. St. Martin’s
and humanities. Computer science citing potential to forge new disciplinary Press, New York, NY, 2018.
2. Herkert, J.R. Ways of thinking about and teaching
instructors will need to move beyond bridges between the goals and practices ethical problem solving: Microethics and macroethics
in engineering. Science and Engineering Ethics 11, 3
decontextualized modules on ethics or of CS and parallel efforts to engage youth (Mar. 2005), 373–385.
individual courses on social impact that in civics and social justice. Additionally, 3. Margolis, J. Stuck in the Shallow End: Education, Race,
and Computing. MIT Press, Boston, MA, 2010.
deemphasize moral and political ques- intentionally broadening the intellectu- 4. Noble, S.U. Algorithms of Oppression: How Search
tions. Universities will need to create al and social purposes of CS could invite Engines Reinforce Racism. NYU Press, NY, 2018.
5. Vakil, S. Ethics, identity, and political vision: Toward
learning pathways where students gain a wider range of student identities. a justice-centered approach to equity in computer
knowledge and skills to build the tech- science education. Harvard Educational Review 88, 1
(Jan. 2018), 26–52.
nologies of the future as they simultane- History as Our Guide 6. Wiener, N. Some moral and technical consequences of
ously develop the sensibilities and intel- For computing education as a field automation. Science 131, 3410 (1960), 1355–1358.
7. Wing, J.M. Computational thinking. Commun. ACM 49,
lectual integrity to question, modify, or to rethink ethics and equity in ways 3 (Mar. 2006), 33–35.
reimagine these technologies. called for here will undoubtedly re-
Toward these ends, there are encour- quire a hard (and perhaps uncomfort- Sepehr Vakil ([email protected]) is
aging cross-disciplinary developments able) epistemological and pedagogical Assistant Professor, Learning Sciences, in the School of
Education and Social Policy at Northwestern University,
on the horizon the field should support pivot. We would do well, though, to Evanston, IL, USA.
and continue to foster. Several univer- remember a rich intellectual history Jennifer Higgs ([email protected]) is Assistant
sities with highly ranked CS programs of thinkers in our field who have laid a Professor, Learning & Mind Sciences and Language,
Literacy, & Culture, in the School of Education at the
are expanding CS learning opportuni- foundation upon which we may build. University of California, Davis, CA, USA.
ties in interesting ways (for instance, For instance, mathematician, philoso-
Northwestern’s joint Ph.D. program in pher, and pacifist Norbert Wiener for- Copyright held by authors.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 33
V
viewpoints

DOI:10.1145/3265747 Mike Tissenbaum, Josh Sheldon, and Hal Abelson

Viewpoint
From Computational Thinking
to Computational Action
Envisioning computing education that both teaches and empowers.

C
O M P U TAT I O N A L ACTION, A
new framing for computing
education, proposes that
while learning about com-
puting, young people should
also have opportunities to create with
computing that have direct impact on
their lives and their communities. In
this Viewpoint, we outline two key di-
mensions of computational action—
computational identity and digital em-
powerment—and further argue that by
focusing on computational action in
addition to computational thinking,
we can make computing education
more inclusive, motivating, and em-
powering for young learners. Learners
have the capacity to develop computa-
tional products that can have authentic
impact in their lives from the moment
they begin learning to code, all they
need is to be situated in contexts that
allow them to do so.
Too often, K–12 computing educa-
tion has been driven by an emphasis
on kids learning the “fundamentals”
of programming. Even more progres-
sive CS education that centers around math or physics students have asked, tential is particularly problematic for
the development of learners’ computa- “When will we use this in our lives?”1 young women and youth from nondom-
tional thinking has largely focused on While there have been attempts to inant groups. For these groups, who
learners understanding the nuanced situate computing education in real- have been traditionally underrepresent-
elements of computation, such as world contexts and problems, they are ed in the computing fields, it has been
variables, loops, conditionals, paral- often generic (for example, designing observed that a sense of fitting into and
lelism, operators, and data handling.10 checkout systems for supermarkets) belonging to the broader computing
This initial focus on the concepts and and fail to connect to the specific per- community is closely tied to being able
IMAGE BY BOYKO PICT URES

processes of computing, leaving real- sonal interests and lives of learners. to develop computational solutions
world applications for “later” runs the Though real-world application of their that matter to themselves and those in
risk of making learners feel that com- work is valuable for all learners, not pro- their communities.8 By connecting with
puting is not important for them to viding opportunities to develop compu- students’ real lives, we can help them
learn. It begs the question far too many tational solutions with real-world po- develop a critical consciousness of

34 COMMUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 viewpoints

the role they can play in affecting their In order to develop computational
communities through computing and action educational initiatives, we have
empower them to move beyond simply This fundamental shift developed a set of criteria that outline
learning to code. Instead, we can ask in the role computing the critical elements required.
them what they want to code and why Supporting the formation of com-
they want to code it.5 can play in students’ putational identity requires:
By situating computing education lives also requires us to ˲˲ Students must feel they are respon-
in real-world contexts that matter to sible for articulating and designing
students, we can engage more people critically reexamine the their solutions, rather than working to-
in computing, with all the benefits goals of CS education. ward predetermined “right” answers.
˲˲ Students need to feel their work is
that affords the youth and to society.
Though this may help to produce authentic to the practices and products
much-needed programmers, it will of broader computing and engineering
also produce computationally literate, communities.
problem-solving citizens. Supporting the formation of digital
goals of CS education, particularly for empowerment requires:
Reducing the Barriers for Putting K–12 students. The goal of computing ˲˲ A significant number of activities
Computational Action into Practice education needs to move beyond com- and development should be situated in
There are many challenges young putational thinking to a perspective of contexts that are authentic and person-
learners face when trying to develop computational action. A computational ally relevant.
impactful computational solutions. action perspective on computing is ˲˲ Students need to feel their work has
Many of these can be attributed to the founded on the idea that, while learn- the potential to make an impact in their
context of computing education it- ing about computing, young people own lives or their community.
self—often taking place in traditional should have the opportunity to do com- ˲˲ Students should feel they are ca-
computing labs, which are far removed puting in ways that have direct impact pable of pursuing new computational
from students’ everyday lives. How- on their lives and their communities. opportunities as a result of their cur-
ever, with the growing proliferation Through multiple design studies, rent work.
of mobile and ubiquitous computing, workshops, and global mobile app de-
there is the potential for rethinking velopment initiatives that used MIT Computational Action in Action
and recontextualizing where and how App Inventor, we have developed two We have seen firsthand the power-
students learn computing. Computing key dimensions for understanding and ful effect a computational action ap-
education can now be freed from the developing educational experiences proach can have to learning computer
desk-bound screen and connected to that support students in engaging in science. In the slums of Dharavi in
students’ lives and communities. computational action: computational Mumbai (one of the largest slums in
The ability to connect to the lives identity and digital empowerment. Asia, and the iconic location of the
of students represents a fundamental Computational identity builds on pri- film Slumdog Millionaire), a group of
shift in computing, opening up new or research that showed the impor- young women (8–16 years old) recog-
avenues for young people to see their tance of young people’s development nized women’s safety was a critical
worlds as “possibility spaces,” spaces of scientific identity for future STEM problem in their community. Despite
in which they can ask questions and growth.6 For us, computational iden- having no prior programming experi-
build solutions that address personally tity is a person’s recognition of them- ence, they were driven by the feeling
identified needs. However, in order to selves as capable of designing and im- they could effect real change in the
empower young people to build these plementing computational solutions lives of those close to them. Through
solutions, we need to provide plat- to self-identified problems or opportu- guidance from a local mentor, some
forms and learning environments that nities. Further, the students should see online videos, and MIT’s App Inven-
reduce the barriers for them to quickly themselves as part of a larger commu- tor, they were able to build the Wom-
build and implement their designs. nity of computational creators. Digital en Fight Back app, which focuses on
As one example, we developed App In- empowerment builds from the work of women’s safety and has features like
ventor, a blocks-based programming Freire2, which situates empowerment SMS alerts, location mapping, dis-
language that allows learners to build as the ability to critically engage in is- tress alarm, and emergency calls to
fully functional mobile applications sues of concern to them, and Thomas contacts. 4 Inspired by their early
without the need to deal with compli- and Velthouse,9 who see empower- success, these young women built
cated syntax. ment connecting to the concepts of several more apps, including one to
meaningfulness, competence, self-de- coordinate water pickup from public
Computational Action: termination, and impact. As such, digi- water sources, and an educational
A New Way of Framing Computing tal empowerment involves instilling in app for girls who cannot go to school.
Education for Impact young learners the belief they can put These young learners’ growth from
The fundamental shift in the role com- their computational identity into ac- no computing experience to a group
puting can play in students’ lives also tion in authentic and meaningful ways that is continually working to improve
requires us to critically reexamine the on issues that matter to them. their community through computing,

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 35
viewpoints

shows the transformational potential tional problem solving in abstracted

computational action can have. and inauthentic ways?
Building on the success of the By focusing on With rapid changes happening
Dharavi girls and other young learn- computational in both computing and computing
ers like them, we have begun devel- education landscapes, we have an op-
oping formal computing curricula action instead of portunity to reconsider how students
that incorporate the computational computational learn computing. Young learners
action model. Recently, working with have the capacity to develop compu-
teachers at a large, extremely diverse, thinking, we engage tational products that have authentic
urban, U.S. high school, we created a kids in meaningful impact in their lives from the mo-
10-week computing curriculum with ment they begin to code. They simply
App Inventor. In this curriculum, projects rather than need contexts that allow them to have
students developed computing solu- canned exercises. such impact. Computational action
tions to an issue that was personally starts to define what these contexts
relevant and meaningful to them and should look like. With more comput-
their community: raising awareness ing instructors coming online, we
and cleaning up the local riverway. have a unique opportunity to work
Exit interviews highlighted positive with them as they develop skills and
changes in the students’ perceptions not a new idea in education. Prob- practices necessary to engage in com-
of their own computational identi- lem-based learning (see for example putational action with their students.
ties and digital empowerment. From Hmelo-Silver3) has been increasingly We are excited about a world in which
not believing themselves capable of used in science and engineering edu- young learners see the world as full
building mobile apps at all, they real- cation over the past two decades. How- of opportunities for them to digitally
ized they could not only build apps, ever, putting the products students create the future they (and we) want
but that their designs could have sig- design into their communities has to inhabit.
nificant real-world impact. Many stu- been a persistent challenge. Through
dents also expressed excitement to the proliferation of mobile and ubiq- References
1. Flegg, J., Mallet, D., and Lupton, M. Students’
build new apps in the future. uitous computing, we are beginning perceptions of the relevance of mathematics in
Facilitating this kind of learner- to realize this potential. engineering. Intl. Journal of Mathematical Education
in Science and Technology 43, 6 (June 2012), 717–732.
driven and action-focused computing By focusing on computational ac- 2. Freire, P. Pedagogy of the Oppressed (20th anniversary
ed.). Continuum, NY, 1993.
education requires a reexamination tion instead of computational think- 3. Hmelo-Silver, C.E. Problem-based learning: What
of how we provide support for learn- ing, we engage kids in meaningful and how do students learn? Educational Psychology
Review 16, 3 (Mar. 2004), 235–266.
ers. It also poses new challenges for projects rather than canned exercis- 4. Joshi, S. Teenage girl coders from Mumbai slum are
teachers. Students need scaffolding es. Papert argued that in the process building apps to solve local problems. (Mar. 29, 2016);
http://mashable.com/2016/03/29/mumbai-dharavi-
in the design process to help them of developing personally meaning- girls-coding-apps/
understand how to decompose their ful projects, students would be able 5. Lee, C.H. and Soep, E. None but ourselves can free our
minds: Critical computational literacy as a pedagogy
apps into manageable and buildable to forge ideas and would learn the of resistance. Equity & Excellence in Education 49, 4
parts. Importantly, teachers need necessary coding elements by ad- (Apr. 2016), 480–492.
6. Maltese, A.V. and Tai, R.H. Eyeballs in the fridge:
to be comfortable in complex, real- dressing challenges as they naturally Sources of early interest in science. International
world situations that do not have a arise.7 This is similar to how much Journal of Science Education 32, 5 (May 2010),
669–685.
predefined solution. While this programming and computational so- 7. Papert, S. An exploration in the space of mathematics
should not require teachers to learn lution building works in the profes- educations. International Journal of Computers for
Mathematical Learning 1, 1 (Jan. 1996), 95–123.
more about programming function- sional world. People from all occupa- 8. Pinkard, N. et al. Digital youth divas: Exploring
ally, it will require them to be more tions and avocations alike come up narrative-driven curriculum to spark middle school
girls’ interest in computational activities. Journal of
flexible in how it is applied. It will re- with “projects” they want to build for the Learning Sciences 26, 3 (Mar. 2017); doi.org/10.108
0/10508406.2017.1307199
quire new strategies for helping stu- which computer programs are neces- 9. Thomas, K.W. and Velthouse, B.A. Cognitive elements
dents discover solutions on their own sary. These people plan ahead and be- of empowerment: An “interpretive” model of intrinsic
task motivation. Academy of Management Review 15,
(rather than giving them the answer), gin building, but inevitably, obstacles 4 (Apr. 1990), 666–681.
and it will require new ways of assess- arise. These computer programmers, 10. Wing, J.M. Computational thinking. Commun. ACM 49,
3 (Mar. 2006), 33–35.
ing student work. Recognizing these professionals and amateurs, com-
pedagogical shifts means we must puter scientists, engineers, scien-
Mike Tissenbaum ([email protected]) is
embrace new educational approach- tists, and many others, find answers Assistant Professor in the College of Education at the
es as we test and refine our theories to those problems within the broader University of Illinois at Urbana-Champaign, IL, USA.

on computational action. community of programmers (by ask- Josh Sheldon ([email protected]) is Associate Director,
App Inventor, at MIT, Cambridge, MA, USA.
ing colleagues directly or through
Learners Recognize Opportunities sites such as StackOverflow). If this Hal Abelson ([email protected]) is Class of 1922 Professor
of Computer Science and Engineering in the Department
to Apply Computing, then is the how computing happens in of Electrical Engineering and Computer Science at MIT.
Design and Build Solutions the real world, why is the educational Cambridge, MA, USA.

Having students drive their learn- system so often focused on students

ing or problem-solving process is learning computing and computa- Copyright held by authors.

36 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

Introducing ACM Transactions on Data Science (TDS)

A new journal from ACM publishing papers

on cross disciplinary innovative research
ideas, algorithms, systems, theory and
applications for data science

Now Accepting Submissions

The scope of ACM Transactions on Data Science

(TDS) includes cross disciplinary innovative research
ideas, algorithms, systems, theory and applications for
data science. Papers that address challenges at every stage,
from acquisition on, through data cleaning, transformation,
representation, integration, indexing, modeling, analysis,
visualization, and interpretation while retaining privacy, fairness,
provenance, transparency, and provision of social benefit, within the
context of big data, fall within the scope of the journal.

By its very nature, data science overlaps with many areas of computer science.
However, the objective of the journal is to provide a forum for cross-cutting
research results that contribute to data science as defined above. Papers that address
core technologies without clear evidence that they propose multi/cross-disciplinary
technologies and approaches designed for management and processing of large volumes
of data, and for data-driven decision making will be out of scope of this journal.

For more information and to submit your work,

please visit https://tds.acm.org.
practice
DOI:10.1145/ 3303868
The purpose of this article is to look

Article development led by
queue.acm.org
at the basics of blockchain: the indi-
vidual components, how those com-
ponents fit together, and what changes
Blockchain remains a mystery, might be made to solve some of the
despite its growing acceptance. problems with blockchain technology.
This technology is far from monolithic;
BY JIM WALDO some of the techniques can be used (at
surprising savings of resources and ef-

A Hitchhiker’s
fort) if other parts are cut away.
Because there is no single set of
technical specifications, some systems
that claim to be blockchain instances

Guide to the
will differ from the system described
here. Much of this description is taken
from the original blockchain paper.6
While details may differ, the main

Blockchain
ideas stay the same.

Goals of Blockchain
The original objective of the block-

Universe
chain system was to support “an elec-
tronic payment system based on cryp-
tographic proof instead of trust …”6
While the scope of use has grown con-
siderably, the basic goals and require-
ments have remained consistent.
The first of these goals is to ensure
the anonymity of blockchain’s users.
This is accomplished by use of a pub-
lic/private key pair, in a fashion that is
reasonably well known and not rein-
IT IS DIFFICULT these days to avoid hearing about vented by the blockchain technology.
Each participant is identified by the
blockchain. Blockchain is going to be the foundation public key, and authentication is ac-
of a new business world based on smart contracts. complished through signing with the
It is going to allow everyone to trace the provenance of private key. Since this is not specific
to blockchain, it is not considered
their food, the parts in the items they buy, or the ideas further here.
they hear. It will change the way we work, the way the The second goal is to provide a pub-
lic record or ledger of a set of transac-
economy runs, and the way we live in general. tions that cannot be altered once veri-
Despite the significant potential of blockchain, it is fied and agreed to. This was originally
also difficult to find a consistent description of what designed to keep users of electronic
currency from double-spending and to
it really is. A recent Google search for “blockchain allow public audit of all transactions.
technical papers” returned nothing but white The ledger is a record of what transac-
tions have taken place, and the order
papers for the first three screens; not a single paper of those transactions. The use of this
is peer-reviewed. One of the best discussions of the ledger for verification of transactions
technology itself is from the National Institute of other than the exchange of electronic
cash has been the main extension of
Standards and Technology, but at 50-plus pages, it is a the blockchain technology.
bit much for a quick read.9 The final core goal is for the system

38 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 to be independent of any central or vancing the ledger. These components munity can easily check that the hash
trusted authority. This is meant to be work together to provide a system that is correct.
a peer- or participant-driven system has the properties of stability, irrefut- So far, this is nothing new; it is sim-
in which no entity has more or less ability, and distribution of trust that ply a Merkle chain, which has been
authority or trust than any other. The are the goals of the system. in use for years. The wrinkle in block-
design seeks to ensure the other goals The ledger is a sequence of blocks, chain is that the calculation of the hash
as long as more than half of the mem- where each block is an ordered se- needs to add a nonce (some random
bers of the participating community quence of transactions of an agreed- set of bits) to the block being hashed
are honest. upon size (although the actual size until the resulting hash has a certain
varies from system to system). The first number (generally six or eight) of lead-
Components of Blockchain entry into a block is a cryptographic ing zeros. Since there is no way to pre-
While there are lots of different ways to hash (such as those produced by the dict the value that will give that num-
implement a blockchain, all have three Secure Hash Algorithm SHA-256) of ber of leading zeros to the hash, this is
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

major components. The first of these is the previous block. This prevents the a brute-force calculation, which is ex-
the ledger, which is the series of blocks contents of the previous block from be- ponentially difficult on the number of
that are the public record of the trans- ing changed, as any such change will zeros required. This makes the calcula-
actions and the order of those transac- alter the cryptographic hash of that tion of the hash for the block computa-
tions. Second is the consensus proto- block and thus can be detected by the tionally difficult and means any mem-
col, which allows all of the members of community. These hash functions are ber of the community has the chance
the community to agree on the values easy to compute but (at least to our cur- of coming up with an acceptable hash
stored in the ledger. Finally, there is the rent knowledge) impossible to reverse. with a probability that is proportional
digital currency, which acts as a reward So once the hash of the contents of a to the amount of computing resources
for those willing to do the work of ad- block is published, anyone in the com- the member throws at the problem.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 39
practice

Coming up with the hash and the right versions of the algorithms depend on a for the calculation of the next block in
nonce is a proof of work (and, perhaps, leader to initiate the voting and tally the the chain. This requires an incentive
luck) that can be easily verified by any- results. mechanism, which is where the third
one in the community. Those attempt- In the blockchain universe, how- component of the blockchain universe
ing to calculate the right hash value ever, there is a trust-free system, which enters the picture: digital currency.
for a block are the miners of the block- means there can be no leader. Further, Digital currency. The reason for a
chain world; they are exchanging com- in the blockchain universe the number miner to do all the computational work
putation for pay. of systems participating in validating to calculate the nonce and hash of a
Once a miner comes up with the right the transactions (that is, finding a hash block is that the first to do so gets an al-
nonce that produces the right hash, they for the block with the right number of location of digital currency as the first
broadcast the result to the rest of the zeros in the prefix) is not known. This transaction in the next block. This also
community, and all miners start work makes claims that a block is accept- encourages other miners to accept a
on the next block. The first entry in the ed when 51% of the miners agree on block as quickly as possible, so they can
new block will be the hash of the last the block nonsense, since there is no start doing the work to hash the next
block, and the second entry in the block known value for the number of entities block (which has likely been filled with
will be the creation of some amount of trying to agree. transactions during the time it took to
currency assigned to the miner who Instead, the majority is determined hash the previous block). Bitcoin was
found the hash for the previous block. by the calculation of the hash for the the original blockchain currency and in-
This works only if you have a block next block. Since that block begins centive; in September 2017 the reward
to start the chain. This is done in the with the hash of the previous block, for hashing a block was 12 bitcoins8
same way all systems get started: by and since the likelihood of the next when the exchange rate was 1 bitcoin
cheating and declaring a block to be block’s hash being calculated is pro- = ~$4,500 U.S. (prices fluctuate rather
the Genesis block. portional to the amount of computing wildly). This reward halves (for bitcoin)
It is possible that two different min- resources trying to calculate the ap- every 210,000 blocks. The next halving
ers could both find, at the same time propriate hash for the next block, if a is expected around May 25, 2020.1
(or close enough), a nonce that gives majority of the computing power avail- Other digital currencies work in a
a candidate hash value with the right able to the miners starts to work on a similar fashion. To spend the currency,
number of leading zeros, or that some- block that is seeded with the previous entries are made in the then-current
one seeing a nonce that works could hash, then that block is more likely to block, which acts as a ledger of all the
claim the discovery as their own. There be offered as the next block. This is the currency exchanges for a particular
could even be two different blocks be- reason for consensus being tied to the ledger/digital coin combination.
ing proposed as the next entry in the longest chain, as that chain will be pro-
chain. Dealing with such issues re- duced by the largest number of com- Problems with Blockchain
quires the next component of the sys- puting resources. While blockchain was originally pro-
tem: the consensus protocol. This mechanism relies on the gen- posed as a mechanism for trustless
Consensus protocols are among the eration of a hash with the right set of digital currency, its uses have expand-
most-studied aspects of distributed leading zeros being genuinely random. ed well beyond that particular use case.
systems. While it was proved some Being random also means that on oc- Indeed, the emphasis seems to have bi-
time ago that no algorithm will guaran- casion someone will get lucky and a furcated into companies that empha-
tee consensus if there is a possibility of chain that is being worked on by a mi- size the original use for currency (thus
any kind of failure,3 a number of well- nority of the miners will be hashed ap- the explosion of initial coin offerings,
known protocols such as Paxos4 have propriately before a chain that is being which create new currencies) and the
been used in systems for some time worked on by a larger amount of com- use of the ledger as a general mecha-
to give highly reliable mechanisms for puting resources. nism for recording and ordering trans-
distributed agreement. In consensus In an important sense, however, this actions. For the first use, the claim is
protocols such as Paxos, however, it is does not matter. The blockchain uni- that blockchain can replace outdated
assumed the systems that must reach verse defines a majority as the produc- notions of currency and allow a new,
agreement are known. tion of an appropriate nonce and hash. private, friction-free economy. For the
Depending on the failure model Sometimes this means more than half latter use, the claim is that blockchain
used, the number of systems that must of the computing power has worked on can be used to track supply chains, cre-
agree to reach consensus changes. the problem, but other times it might ate self-enforcing contracts, and gen-
When a majority of systems agree in mean only one (exceptionally lucky) erally eliminate layers of mediation in
such a protocol (for some definition of miner got the answer. This might mean any transaction.
majority), consensus has been reached a set of transactions in a block that is Both of these kinds of uses pres-
in systems that want to protect from not verified first need to be rolled back, ent some serious problems. Many
non-byzantine failure. If the system is but that is the nature of in-flight trans- are problems any new technology
subject to byzantine failure, then two- actions. encounters in replacing entrenched
thirds of the systems (plus one) need It does mean all of the miners in interests, but a number of them are
to agree. While the voting can be done the blockchain universe need to move technical in nature; those are the
in peer-to-peer systems, most efficient to a newly hashed block as the basis ones discussed here.

40 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 practice

A number of criticisms of block- its own complexity in order to have a

chain center on the mechanism used transaction that crosses these shards,
to create an accepted hash for a block. since the notion of ensured consis-
To ensure this can be discovered by tency requires that all ledgers are
anyone, the mechanism needs to be
one that takes significant computation While blockchain self-contained to allow consistency
checking within each ledger. A new
but can be easily verified. To ensure
the blocks that are verified cannot be
was originally blockchain could be created to be
used for cross-blockchain transac-
changed, the computation needs to proposed as a tions, but the incentive mechanism
be impractical to reverse. Hashing the
block using a function such as SHA-256
mechanism for for that blockchain would be a new
electronic currency that would need
and requiring that a nonce value is add- trustless digital to stay within the ecosystem of this
ed until some number of leading zeros
appears in the hash fits these charac-
currency, its uses new blockchain. Getting the interact-
ing blockchains to trust the mediating
teristics nicely. This very set of require- have expanded blockchain is an unsolved problem.
ments, however, means the consensus
mechanism has intrinsic limitations. well beyond that There have also been attempts
to use some mechanism other than
Scaling. An obvious worry about
the consensus-by-hashing mechanism
particular use case. proof of work to drive the consensus
protocol. Perhaps the best known of
used in blockchain is whether the tech- these is the proof-of-stake approach,
nology can scale to the levels needed in which a block can be calculated in
for more general use. According to much simpler ways, and consensus is
blockchain.com, the number of con- reached when those with a majority of
firmed transactions averages around the currency agree on the hashing of
275,000 per day, with a peak over the the block. Since the amount of curren-
last year of about 380,000.2 This is an cy and its owners are known, this is not
impressive number but hardly the subject to the problem of not knowing
400,000 transactions per minute that the members of the community to vote.
major credit-card systems perform on But this does reintroduce the notion
peak days. Blocks can currently be veri- of trust to the system; those who have
fied at a rate of four to six per second, more money have more of a stake, and
and this is the limiting factor on the therefore are trusted more than those
number of transactions. who have less of a stake. This is the
While there are a number of pro- electronic equivalent of an oligarchy,
posals to deal with scaling block- which has not worked particularly well
chain, it is unclear how these fit with in the past but might prove more stable
the base design of the system. Making in this context.
the verification of a block difficult and Power consumption. A second criti-
random is an important aspect of the cism of blockchain technology that is
basic design of blockchain; this is the an outgrowth of the consensus mech-
proof of work that is at the core of the anism is the amount of energy con-
trustless consensus algorithm. If the sumed in the discovery of an appro-
verification of a block is made easier, priate hash for a block. Calculating a
then the probabilistic guarantees of any hash with the appropriate number of
miner being able to discover the appro- leading zeros requires many hashing
priate hash decreases, and the possibil- calculations, which in turn burn a lot
ity of some miner with a large amount of electricity; some have claimed that
of computing taking over the chain in- bitcoin and related cryptocurrencies
creases. Verifying a block is meant to be are mechanisms to transform elec-
hard; that’s how the system avoids hav- tricity into currency. The estimates
ing to trust any particular member or of how much electricity is consumed
set of members. range from the low side stating that it
One mechanism suggested for scal- is about as much as is used by the city
ing is to shard the blockchain into a of San Jose, CA, to the high side that
number of different chains, so that it is equivalent to Denmark’s power
transactions can be done in parallel consumption. No matter which model
in different chains. This is happen- is used for the calculation, the answer
ing in the different coin exchanges; is large.
each coin system can be thought of The hope is that this energy drain
as a separate shard. This introduces will diminish, perhaps by changing the

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 41
practice

hardware used for the hashing to some- is responsible for keeping the ledger known cryptographic protocols could
thing far more efficient (such as special- (a leader). Transactions are written to be done in a number of ways. Doing it
ized ASICs). Making the hashing pro- the ledger, and when the ledger block on top of a system such as blockchain
cess more efficient, however, is at odds reaches an appropriate size, the lead- is needed if the requirement that the
with blockchain’s fundamental mecha- er hashes the ledger, uses the hash to system be trustless (except for trusting
nism of trusting no one; the point is start a new block, and continues (just the software) is added. Such a trustless
that the verification of a block must be as in the current blockchain). system comes with a cost.
difficult and random so that any miner The difference is that there is no Whether the cost is worth it is a de-
is equally likely to find the hash. need for the leader to randomly try val- cision that requires an understanding
The energy consumption might ues added to the block until the right of the various parts of the system and
be less worrisome if the calculations number of leading zeros is produced how they interact. A public, unforge-
eating all of this power were gener- in the hash. Without that requirement, able, unchangeable ledger is possible
ally useful. SETI@home, for example, the hash can be done very quickly with without cryptocurrency or a consensus
uses a considerable amount of energy little energy expense. The block still algorithm based on a difficult-to-com-
by offloading analysis of background can’t be changed (since the hash is still pute one-way function that is easily ver-
radio-wave transmissions to Internet- a one-way function), and any member ified. Cryptocurrencies can be created
connected computers. This initiative, of the consortium (or anyone else who without the use of either a public led-
based at UC Berkeley’s SETI (Search for has access to the ledger) can quickly ger or a trustless consensus algorithm.
Extraterrestrial Intelligence) Research check the hash. A public, verifiable, And consensus algorithms can be cre-
Center, is trying to find signs of other and unchangeable ledger can be pro- ated that do not require a financial in-
intelligent life in the universe, which is duced in this way but at much lower centive system or a public ledger.
seen by the participants as worth doing cost in both time and energy.
(and paying for the extra electricity). This does require trust in the various
Related articles
Perhaps the calculation used to ver- members of the consortium, but verify- on queue.acm.org
ify the blockchain could be changed to ing that the consortium is not cheat-
Bitcoin’s Academic Pedigree
something that offered more than just ing on the hashing of a block would be
Arvind Narayanan and Jeremy Clark
verification of the blockchain. Such easy. This is not a fully centralized trust https://queue.acm.org/detail.cfm?id=3136559
a calculation would need to have the in a single entity but, rather, trusting a
Research for Practice: Cryptocurrencies,
properties of being equally possible group. The larger and more varied the Blockchains, and Smart Contracts;
for all miners to find (given equality of group, the less likely the group would Hardware for Deep Learning
computing resource), difficult to find, collude. Note also that such a system https://queue.acm.org/detail.cfm?id=3043967
and easy to verify. It is not clear what does not need an incentive mechanism Certificate Transparency
this calculation might be. such as a digital currency to operate. Ben Laurie, Google
Trust. Perhaps the most problem- https://queue.acm.org/detail.cfm?id=2668154
atic aspect of blockchain is its core Who Do You Trust?
notion of being trustless. Much of the Maybe you really do not want to trust References
1. Bitcoinblockhalf.com. Bitcoin block reward halving
complexity of the technology is caused anyone. Calibrating paranoia is diffi- countdown.
2. Blockchain.com. Confirmed transactions per day,
by this requirement. It is unclear, how- cult, and perhaps you really do want to 2018; https://www.blockchain.com/charts/n-transacti
ever, that this is even necessary for the have an economic system in which no ons?daysAverageString=7.
3. Fischer, M., Lynch, N.A., Paterson, M. Impossibility of
kinds of uses people talk about as core specifiable set of entities has the ability distributed consensus with one faulty process. JACM
to blockchain, or that the system is ac- to collude and control the system. That 32,2 (1985), 374–382.
4. Lamport, L. The part-time parliament. ACM Trans.
tually free of trust. is the real reason for blockchain. Computer Systems 16, 2 (1998), 133–169.
It is because of the lack of trust As Ken Thompson pointed out in 5. Morris, D.Z. Bitcoin is in wild upheaval after the
cancellation of the Segwit2x fork. Fortune (Nov.
that the system requires verification 1984, trust has to happen somewhere.7 12, 2017); http://fortune.com/2017/11/12/bitcoin-
of the block to be computationally Even if you do not trust any group to upheavel-segwit2x-fork/.
6. Nakamoto, S. Bitcoin, a peer-to-peer electronic cash
difficult, one-way, and easy to verify. calculate the blocks, you need to trust system, 2008; https://bitcoin.org/bitcoin.pdf.
If this requirement of trustlessness the developers of the software being 7. Thompson, K. Reflections on trusting trust. Commun.
ACM 27, 8 (Aug. 1984), 761–763; https://dl.acm.org/
were dropped, then production of a used to manage the blocks, the ledgers, citation.cfm?id=358210.
public ledger that was unchangeable and the rest. Everything from bugs to 8. Trubetskoy, G. Electricity cost of 1 bitcoin (Sept. 2017);
https://grisha.org/blog/2017/09/28/electricity-cost-
and easily verified could be done eas- design changes5 in the software have of-1-bitcoin/.
ily. Suppose such a ledger is to be used led to forks in the bitcoin ecosystem 9. Yaga, D., Mell, P., Roby, N., Scarfone, K. Blockchain
technology overview. NISTIR 8202 (Oct. 2018).
for inter-bank transfer (which has been that have caused considerable churn National Institute of Standards and Technology;
in those systems. If your trust is in the https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.
suggested as a use for blockchain). In- IR.8202.pdf.
stead of a trustless system, however, security and solidity of the code, that is
the users decide to trust a consortium a choice you make. But it is not a trust- Jim Waldo is a professor of the practice of computer
of major banks, the Federal Reserve less system. science at Harvard University, where he is also the chief
technology officer for the School of Engineering, a position
Board, and some selection of consum- A public, nonrefutable, unalter- he assumed after leaving Sun Microsystems Laboratories.
er watchdog agencies or organizations. able ledger for transactions could be
This consortium could choose a mem- a useful tool for a number of applica- Copyright held by author/owner.
ber (perhaps on a rotating basis) who tions. Building such a system on top of Publication rights licensed to ACM.

42 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 DOI:10.1145/ 3 3 0 3 8 78


Article development led by
queue.acm.org

Four challenging work situations

and how to handle them.
BY KATE MATSUDAIRA

Design
Patterns for
Managing Up
been in a situation where you are
H AV E YOU E V E R
presenting to your manager or your manager’s
manager and you completely flub the opportunity
by saying all the wrong things? Me too. It is from
such encounters that I started to put together design
patterns for handling these difficult situations. I like
to think in systems and patterns, so ap- of you, and you just aren’t certain of
plying this way of thinking to commu- the answer.
nication just makes sense. I have also Sure, the obvious answer is to say,
found these rules of thumb are useful to “I don’t know.” But what if the person
others, so I would like to share them here. asking you that question is a customer?
When you can spot the patterns, you What if that person is your VP? What
can use some of the ideas presented if you are interviewing for a new role?
here as guidelines to navigate these Suddenly, the stakes are raised and you
tricky, high-stress scenarios. This way just don’t want to say, “I don’t know.”
you can feel confident and capable as You don’t want to look uninformed or
a leader because you will know what to unprofessional. All of a sudden there
do: how to solve the problem and what is social pressure to be the person with
steps to follow next. the right answer.
Here are some of the most common In the moment, the desire to say
challenging situations you may run into anything but “I don’t know” is so over-
at work and how you can handle them. whelming that you may end up mak-
ing up something on the spot, trying to
1. Someone asks you something be as vague as possible so you can’t be
you don’t know. wrong. But—as you know if someone
You are in a meeting (where you know has done this to you—it’s usually ob-
you are expected to know all the an- vious to the other people in the room
swers) when someone asks a question that you don’t know the answer, and

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 43
practice

now that interaction will negatively Even if all you can say is that you are
color their view of you. aware and will update with more in-
They still end up knowing that you formation at a specific time, then you
don’t know, but now you have also are at least able to fulfill a promise to
wasted their time. Or even worse, you your boss/team/customer by following
give them an answer you think is cor- through and giving them an update
rect, but you turn out to be wrong. at the specified later time. This is far
Then you are in a situation where you better than making them wait in ra-
actually are uninformed, and you are dio silence while you try to figure out
left crossing your fingers hoping no what is going on. They will spend that
one will ever find out. time feeling negative about you or your
If you take the long view, you will re- team, which only amplifies the impact
alize it is always much better to admit of the problem.
you don’t know something, but then Tip: Look for ways you can help your
take action to fix it. customers avoid having a bad experi-
In this case the pattern is: ence with your product, whether with
A. Admit you aren’t certain. a notification letting them know about
B. Own the follow-up to determine the problems or pointers to documen-
the answer. it is actually an opportunity to show tation to help them work around it.
C. Give a timeline for when you will you are an asset to the bosses.
follow up. In general, it is always better to con- 3. There is a decision that
D. Deliver a correct, concise, and trol the message and have your man- you don’t agree with.
thoughtful response. agement learn of the problem from When you care a lot about your work,
When you say, “I don’t know, but I you (instead of a customer or a boss). it can be really difficult to get behind
can investigate and get back to you af- Great leadership is keeping everyone a decision you don’t agree with. You
ter lunch” or “I don’t know, but ______ on the same page, and it is your job to might feel like it is worth speaking
does and I will ask her and get back to communicate proactively so there are up—but this can be challenging when
you by the end of the day,” suddenly no surprises. that decision is made by someone who
you are a person solving a problem. If your system experiences an out- is one, two, or more levels above you.
Any time you don’t know, be clear age or any other customer-impacting Sure, many technology execs claim
that you don’t know, but follow up issue, you should be the first person to they want everyone who disagrees to
with a plan for how you will get the share the issue with your manager, cus- raise questions, but is that something
information and with a deadline for tomers, team, or whoever is affected by you really want to gamble your career
conveying that information. That is the problem. This makes you the pro- on? When it comes to navigating these
all the person asking the question re- active one who discovered the problem situations, there is generally a right
ally wants anyway: for you to supply and is already working to address it be- way and a wrong way to disagree.
the answer. fore anyone else even knows about it. When you first hear about a deci-
Smart people don’t know every- For this pattern the steps are: sion that you think is a bad call—
thing; they just know where to look to A. Let the key people know you know such as a re-org or a new feature you
find out what they need to know. about the problem and are working on believe is a waste of time—it can be
a solution. Establish yourself as the a really fraught moment. You might
2. There is a problem that is owner and let them know you will see feel frustrated or angry, which can
your fault or responsibility. this through to the finish. lead you to give an overly emotional
Have you ever been in a situation where B. Share steps if you know them, but response that is both unproductive
something went wrong (such as a sys- if you do not know the answer, let the and ineffective.
tem outage) and you wanted to figure key people know when you will pro- Remember there is someone in the
out the cause/solution to the problem vide the next update (for example, “We chain who thinks this is a good idea;
before broadcasting it more widely? aren’t sure what caused the problem, that is why it is being implemented.
I know this is how I feel—especially if or the impact, but will provide another So, it is worth your time to try to under-
keeping that system up and running is update in an hour”). stand the “why” behind this idea—it
my (or my team’s) responsibility. C. Give a timeline. This is the most just might change your mind, and even
When problems occur, there is a important thing you can do. When if it doesn’t, it will give you the context
natural instinct to hide or deny the will the problem be fixed? If you don’t you need to make an argument that
problem is a problem, or that it is even know when or how it will be fixed yet, could actually convince the decision
happening at all. We want to minimize when will you provide an update? What maker that you are right.
IMAGE BY ALEXEY BLOGOOD F

the problems that are our responsibil- possible solutions are you going to try Next time there is a decision that
ity because, after all, a big part of our and when will you know the results? you don’t agree with, instead of jump-
job is to make sure problems don’t Give specific answers to specific ing to “no,” try asking about the goal.
happen. When you are proactive about questions. It is never okay just to say, What is this person trying to achieve?
sharing and fixing a problem, however, “We’re working on it.” If you still don’t agree with the explana-

44 COMM UNICATIO NS O F THE AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 practice

tion, you can try researching the prob- text and reasoning with your team, and hurts or that you do not agree with, try
lem and providing an alternative plan. then do everything you can to make the to remain calm in the moment. Focus
(You will always be taken more serious- situation better (which can be helping on slowing down your breathing, be
ly if you can provide another solution the cause succeed, mitigating fall-out, aware of your heart rate, and try to keep
instead of just saying the current plan and so on). your face relaxed.
is a bad idea.) Then say, “I hear you. I will be more
Sometimes you will not change 4. Your manager gives you mindful of that in the future.”
anyone’s mind. If this is the case, negative feedback. That’s it, and the only pattern for
then it’s time to shift your perspec- I have a love/hate relationship with this one.
tive and implement the change as it feedback. I love it because it is neces- If your manager has more to say,
has been outlined to you. Even so, sary to improve, but I hate it because he or she will say it. If you are not clear
there is still a benefit to understand- no matter how much I try, I can’t help on exactly what the person means or if
ing the reasoning behind a change but take it personally. you are genuinely interested in hear-
you don’t agree with. No matter how amazing you are at ing suggestions for what you could do
As a leader, you do not want to tell your job, you will sometimes get feed- next time, ask. But don’t snap at this
your team the reason things are chang- back about things you could be doing person or start giving them the third
ing is “because ______ made me do it.” better. It can be difficult to hear, espe- degree about the feedback. If you think
That makes it seem like you have no cially if you are someone who works re- you might react emotionally or angrily,
power, as though you do things just be- ally hard all the time. When it comes to then simply say the phrase noted here,
cause you are told to. It certainly won’t negative feedback, it is important to re- thank your boss for the feedback, and
inspire confidence in your team or frame the conversation. Feedback isn’t then leave.
make them any more likely to embrace a bad thing. It is a gift, and you should You can always send an email mes-
the decision. always adopt a growth mind-set and sage later, after you have had a chance
Instead, you want to explain that you see it as a chance to improve. to collect your thoughts, then get
are implementing a change because I once had a manager give me some further clarification at that time. Let
of XYZ reason. If questioned, you can feedback on a meeting I had been part your boss know you have been think-
mention you shared concerns about of. The meeting had gone off the rails, ing about it and took the feedback to
the plan with your leaders, but then and I had done my best to get people heart. Ask in an open and authentic
reiterate the reasoning behind the cur- back on track and focused. My manag- way for advice.
rent plan with your team. Ultimately, it er hadn’t been there, but he had been Look for patterns and be the version
is your job to commit to the organiza- told by other people in the meeting of yourself that you want to be. Chal-
tion’s strategy and help your team suc- that my tactics had rubbed some peo- lenges come up all the time at work.
ceed within that strategy. ple the wrong way. Spend time now thinking about how
There is never a 100% right answer In the moment, I was frustrated. I you want to be seen at work, and then
at work. There are just different ap- did not agree with the feedback at all, think about how that version of you
proaches and trade-offs with each ap- so I wanted to get to the bottom of it. would respond to the challenges that
proach. It’s not your job to agree with This was a big mistake. Suddenly, my you could encounter. When you have a
your leadership 100% of the time, but it boss was on the defensive. I was ask- plan in place, you are much more likely
is your job to make the company as suc- ing him really direct questions: “What to succeed.
cessful as possible. does that mean?” and “What could I I hope your find these tips useful,
So, when a decision is made that have done differently?” I was forcing and if you have additional ones to add
does not make sense to you, here are him to explain a situation he didn’t re- to the mix, please leave a comment.
the steps: ally know about.
A. Take the emotion out of it—wait a It harmed my relationship with that
Related articles
day or two if you need time to clear your manager, and I had to do a lot of work on queue.acm.org
head. to repair it.
Views from the Top
B. Don’t disagree; ask about the con- I talked to my mentor about the sit-
Kate Matsudaira
text and reasons for the change. uation, and my mentor reminded me https://queue.acm.org/detail.cfm?id=3156692
C. Start with your manager or the that every time you get feedback it is an
People and Process
main decision maker if you have a prior opportunity to grow. It is valuable, be- James Champy
relationship, and then escalate up the cause it is a chance to learn more about https://queue.acm.org/detail.cfm?id=1122687
chain of command together (rather how you can be better. Broken Builds
than just emailing your thoughts to the Keep in mind that as difficult as it Kode Vicious
CEO). is to receive negative feedback, it isn’t https://queue.acm.org/detail.cfm?id=1740550
D. Research and present alterna- always easy for your manager to give
tive options that will achieve the same that feedback either. No one really en- Kate Matsudaira (katemats.com) is an experienced
technology leader. She has worked at Microsoft and
goals. joys conveying bad news. So, handling Amazon and successful startups before starting her own
E. If you do not succeed in swaying it the right way is also an opportunity company, Popforms, which was acquired by Safari Books.

the decision maker, then support the to create a positive encounter with your Copyright held by author/owner.
plan of action. Be sure to share the con- manager. When you get feedback that Publication rights licensed to ACM.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 45
practice
DOI:10.1145/ 3287287
so the reconstruction no longer results

Article development led by
queue.acm.org
in the original data. This has implica-
tions for the 2020 census.
The goal of the census is to count
These attacks on statistical databases every person once, and only once, and
are no longer a theoretical danger. in the correct place. The results are
used to fulfill the Constitutional re-
BY SIMSON GARFINKEL, JOHN M. ABOWD, quirement to apportion the seats in
the U.S. House of Representatives
AND CHRISTIAN MARTINDALE
among the states according to their
respective numbers.

Understanding
In addition to this primary purpose
of the decennial census, the U.S. Con-
gress has mandated many other uses

Database
for the data. For example, the U.S. De-
partment of Justice uses block-by-
block counts by race for enforcing the

Reconstruction
Voting Rights Act. More generally, the
results of the decennial census, com-
bined with other data, are used to

Attacks on
help distribute more than $675 bil-
lion in federal funds to states and lo-
cal organizations.
Beyond collecting and distributing

Public Data data on U.S. citizens, the Census Bu-

reau is also charged with protecting the
privacy and confidentiality of survey re-
sponses. All census publications must
uphold the confidentiality standard
specified by Title 13, Section 9 of the
U.S. Code, which states that Census Bu-
reau publications are prohibited from
identifying “the data furnished by any
particular establishment or individu-
IN 2020, TH E U.S. Census Bureau will conduct the al.” This section prohibits the Census
Constitutionally mandated decennial Census of Bureau from publishing respondents’
Population and Housing. Because a census involves names, addresses, or any other infor-
mation that might identify a specific
collecting large amounts of private data under the person or establishment.
promise of confidentiality, traditionally statistics Upholding this confidentiality re-
quirement frequently poses a chal-
are published only at high levels of aggregation. lenge, because many statistics can
Published statistical tables are vulnerable to database inadvertently provide information in
reconstruction attacks (DRAs), in which the underlying a way that can be attributed to a par-
ticular entity. For example, if a statis-
microdata is recovered merely by finding a set of tical agency accurately reports there
microdata that is consistent with the published are two persons living on a block and
the average age of the block’s resi-
statistical tabulations. A DRA can be performed by using dents is 35, that would constitute an
the tables to create a set of mathematical constraints improper disclosure of personal in-
and then solving the resulting set of simultaneous formation, because one of the resi-
dents could look up the data, sub-
equations. This article shows how such an attack can be tract their contribution, and infer
addressed by adding noise to the published tabulations, the age of the other.

46 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 Of course, this is an extremely simple duce summary statistics without re- a database carefully to reveal its under-
example. Statistical agencies have un- vealing information about individual lying confidential data.4 Even a surpris-
derstood the risk of such unintended records. Three approaches emerged: ingly small number of random queries
disclosure for decades and have devel- auditing database queries, so that us- can reveal confidential data, because
oped a variety of techniques to protect ers would be prevented from issuing the results of the queries can be com-
data confidentiality while still publish- queries that zeroed in on data from bined and then used to “reconstruct”
ing useful statistics. These techniques specific individuals; adding noise to the underlying confidential data. Add-
include cell suppression, which prohib- the data stored within the database; ing noise to either the database or to
its publishing statistical summaries and adding noise to query results.1 Of the results of the queries decreases the
from small groups of respondents; top- these three, the approaches of adding accuracy of the reconstruction, but it
coding, in which ages higher than a cer- noise proved to be easier because the also decreases the accuracy of the que-
tain limit are coded as that limit before complexity of auditing queries in- ries. The challenge is to add sufficient
statistics are computed; noise-injection, creased exponentially over time—and, noise in such a way that each individu-
in which random values are added to in fact, was eventually shown to be NP al’s privacy is protected, but not so
some attributes; and swapping, in which (nondeterministic polynomial)-hard.8 much noise that the utility of the data-
some of the attributes of records repre- Although these results were all couched base is ruined.
senting different individuals or families in the language of interactive query sys- Subsequent publications3,6 refined
are swapped. Together, these tech- tems, they apply equally well to the ac- the idea of adding noise to published
niques are called statistical disclosure tivities of statistical agencies, with the tables to protect the privacy of the indi-
limitation (SDL). database being the set of confidential viduals in the dataset. Then in 2006,
Computer scientists started explor- survey responses, and the queries being Cynthia Dwork, Frank McSherry, Kobbi
IMAGE BY IGOR ST EVA NOVIC

ing the issue of statistical privacy in the the schedule of statistical tables that Nissim, and Adam Smith proposed a
1970s with the increased availability of the agency intends to publish. formal framework for understanding
interactive query systems. The goal was In 2003, Irit Dinur and Kobbi Nis- these results. Their paper, “Calibrating
to build a system that would allow us- sim showed that it isn’t even necessary Noise to Sensitivity in Private Data Anal-
ers to make queries that would pro- for an attacker to construct queries on ysis,”5 introduced the concept of differ-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 47
practice

ential privacy. They provided a mathe- dentiality of the 2020 microdata that tion of a block with just seven people is
matical definition of the privacy loss underlies unprotected statistical ta- an insignificant risk for the country as
that persons suffer as a result of a data bles if privacy-protecting measures a whole, this attack can be performed
publication, and they proposed a mech- are not implemented. To help under- for virtually every block in the United
anism for determining how much noise stand the importance of adopting for- States using the data provided in the
must be added for any given level of pri- mal privacy methods, this article pres- 2010 census. The final section of this
vacy protection (the authors received ents a database reconstruction of a article discusses the implications of
the Test of Time award at the Theory of much smaller statistical publication: this for the 2020 decennial census.
Cryptography Conference in 2016 and a hypothetical block containing seven
the Gödel Prize in 2017). people distributed over two house- An Example Database
The 2020 census is expected to holds. (The 2010 U.S. Census con- Reconstruction Attack
count approximately 330 million peo- tained 1,539,183 census blocks in the To present the attack, let’s consider the
ple living on about 8.5 million blocks, 50 states and the District of Columbia census of a fictional geographic frame
with some inhabited blocks having as with between one and seven residents. (for example, a suburban block), con-
few as a single person and other The data can be downloaded from ducted by the fictional statistical agen-
blocks having thousands. With this https://bit.ly/2L0Mk51) cy. For every block, the agency collects
level of scale and diversity, it is diffi- Even a relatively small number of each resident’s age, sex, and race, and
cult to visualize how such a data re- constraints results in an exact solution publishes a variety of statistics. To sim-
lease might be susceptible to database for the blocks’ inhabitants. Differen- plify the example, this fictional world
reconstruction. We now know, howev- tial privacy can protect the published has only two races—black or African
er, that reconstruction would in fact data by creating uncertainty. Although American, and white—and two sexes—
pose a significant threat to the confi- readers may think that the reconstruc- female and male.
The statistical agency is prohibited
Table 1. Fictional statistical data for a fictional block. from publishing the raw microdata
and instead publishes a tabular report.
Age Table 1 shows fictional statistical data
Statistic Group Count Median Mean for a fictional block published by the
1A Total Population 7 30 38 fictional statistics agency. The “statis-
2A Female 4 30 33.5
tic” column is for identification pur-
poses only.
2B Male 3 30 44
Notice that a substantial amount
2C Black or African American 4 51 48.5 of information in Table 1 has been
2D White 3 24 24 suppressed—marked with a (D). In
3A Single Adults (D) (D) (D) this case, the statistical agency’s dis-
3B Married Adults 4 51 54
closure-avoidance rules prohibit it
from publishing statistics based on
4A Black or African American Female 3 36 36.7
one or two people. This suppression
4B Black or African American Male (D) (D) (D) rule is sometimes called “the rule of
4C White Male (D) (D) (D) three,” because cells in the report
4D White Female (D) (D) (D)
Table 3. Variables associated with
5A Persons Under 5 Years (D) (D) (D) the reconstruction attack.
5B Persons Under 18 Years (D) (D) (D)
5C Persons 64 Years or Over (D) (D) (D) Marital
Note: Married persons must be 15 or over Person Age Sex Race Status
1 A1 S1 R1 M1
2 A2 S2 R2 M2
3 A3 S3 R3 M3
Table 2. Possible ages for a median of 30 and a mean of 44. 4 A4 S4 R4 M4
5 A5 S5 R5 M5
6 A6 S6 R6 M6
A B C A B C A B C
7 A7 S7 R7 M7
1 30 101 11 30 91 21 30 81
2 30 100 12 30 90 22 30 80
Key
3 30 99 13 30 89 23 30 79
Female 0
4 30 98 14 30 88 24 30 78
Male 1
5 30 97 15 30 87 25 30 77
Black or 0
6 30 96 16 30 86 26 30 76 African
7 30 95 17 30 85 27 30 75 American
8 30 94 18 30 84 28 30 74 White 1
9 30 93 19 30 83 29 30 73 Single 0
10 30 92 20 30 82 30 30 72 Married 1

48 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 practice

sourced from fewer than three people

are suppressed. In addition, comple-
mentary suppression has been ap-
plied to prevent subtraction attacks
SAT and SAT Solvers
on the small cells. The Boolean SAT problem was the first to be proven NP-complete.9 This problem asks,
for a given Boolean formula, whether replacing each variable with either true or false
Encoding the constraints. The da- can make the formula evaluate to true. Modern SAT solvers work well and reasonably
tabase can be reconstructed by treat- quickly in a variety of SAT problem instances and up to reasonably large instance sizes.
ing the attributes of the persons liv- Many modern SAT solvers use a heuristic technique called CDCL (conflict-driven
clause learning).10 Briefly, a CDCL algorithm:
ing on the block as a collection of 1. Assigns a value to a variable arbitrarily.
variables. A set of constraints is then 2. Uses this assignment to determine values for the other variables in the formula
extracted from the published table. (a process known as unit propagation).
The database reconstruction finds a 3. If a conflict is found, backtracks to the clause that made the conflict occur and
undoes variable assignments made after that point.
set of attributes that are consistent 4. Adds the negation of the conflict-causing clause as a new clause to the master
with the constraints. If the statistics formula and resumes from step 1.
are highly constraining, then there This process is fast at solving SAT problems because adding conflicts as new clauses
has the potential to avoid wasteful “repeated backtracks.” Additionally, CDCL and its
will be a single possible reconstruc-
predecessor algorithm, DPLL (Davis–Putnam–Logemann–Loveland), are both provably
tion, and the reconstructed micro- complete algorithms: they will always return either a solution or “Unsatisfiable” if given
data will necessarily be the same as enough time and memory. Another advantage is that CDCL solvers reuse past work
the underlying microdata used to when producing the universe of all possible solutions.
A wide variety of SAT solvers are available to the public for minimal or no cost.
create the original statistical publi- Although a SAT solver requires the user to translate the problem into Boolean formulae
cation. Note that there must be at before use, programs such as Naoyuki Tamura’s Sugar facilitate this process by translating
least one solution because the table user-input mathematical and English constraints into Boolean formulae automatically.
is known to be formulated from a
real database.
For example, statistic 2B states
that three males live in the geography.
This fictional statistical agency has
previously published technical speci-
Sugar Input
Sugar input is given in a standard constraint satisfaction problem (CSP) file format.
fications that its computers internally A constraint must be given on a single line of the file, but here we separate most
represent each person’s age as an in- constraints into multiple lines for readability. Constraint equations are separated by
comments describing the statistics they encode.
teger. The oldest verified age of any Input for the model in this article is available at https://queue.acm.org/appendices/
human being was 122.14 If we allow Garfinkel_SugarInput.txt.
for unreported supercentenarians
and consider 125 to the oldest possi-
ble age of a human being, there are To continue with the example, statis- ; First define the integer
only a finite number of possible age tic 1A establishes the universe of the variables, with the range
combinations, specifically: constraint system. Because the block 0..125
contains seven people, and each has (int A1 0 125)
four attributes (age, sex, race, and mari- (int A2 0 125)
tal status), that creates 28 variables, rep- (int A3 0 125)
Within the 317,750 possible age com- resenting those four attributes for each (int A4 0 125)
binations, however, there are only 30 person. These variables are A1… A7 (int A5 0 125)
combinations that satisfy the constraints (age), S1… S7 (sex), R1… R7 (race), and (int A6 0 125)
of having a median of 30 and a mean of M1… M7 (marital status), as shown in (int A7 0 125)
44, as reported in Table 1. (Notice that Table 3. The table shows the variables ; Statistic 1A: Mean age is 38
the table does not depend on the oldest associated with the DRA. The coding of (= (+ A1 A2 A3 A4 A5 A6 A7)
possible age, so long as it is 101 or over.) the categorical attributes is presented (* 7 38)
Applying the constraints imposed by the in the key. )
published statistical tables, the possible Because the mean age is 38, we
combinations of ages for the three males know that: Once the constraints in the statisti-
can be reduced from 317,750 to 30. Table cal table are turned into s-expressions,
2 shows the 30 possible ages for which A1 + A2 + A3 + A4 + A5 + A6 + A7 = 7 × 38 the SAT solver solves them with a brute-
the median is 30 and the mean is 44. force algorithm. Essentially, the solver
To mount a full reconstruction at- The language Sugar13 is used to en- explores every possible combination of
tack, an attacker extracts all of these code the constraints in a form that can the variables, until a combination is
constraints and then creates a single be processed by a SAT (satisfiability) found that satisfies the constraints. Us-
mathematical model embodying all solver. Sugar represents constraints as ing a variety of heuristics, SAT solvers
constraints. An automated solver can s-expressions.11 For example, the age are able to rapidly eliminate many
then find an assignment of the vari- combination equation can be repre- combinations of variable assignments.
ables that satisfies these constraints. sented as: Despite their heuristic complexity,

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 49
practice

SAT solvers can process only those sys- are arranged in sorted order (for the (<= A4 A5)
tems that have Boolean variables, so Sug- case in which there is an odd number of (<= A6 A7)
ar transforms the s-expressions into a numbers). Until now, persons 1 through
much larger set of Boolean constraints. 7 have not been distinguished in any Having the labels in chronological
For example, each age variable is encod- way: the number labels are purely arbi- order, we can constrain the age of the
ed using unary notation as 126 Boolean trary. To make it easier to describe the person in the middle to be the median:
variables. Using this notation, the deci- median constraints, we can assert the
mal value 0 is encoded as 126 false Bool- labels must be assigned in order of age. (= A4 30)
ean variables, the decimal value 1 is en- This is done by introducing five con-
coded as 1 true and 125 false values, and straints, which has the side effect of Sugar has an “if” function that al-
so on. Although this conversion is not eliminating duplicate answers that have lows encoding constraints for a subset
space efficient, it is fast, provided that simply swapped records, an approach of the population. Recall that statistic 2B
the integers have a limited range. called breaking symmetry.12 contains three constraints: there are
To encode the median age con- three males, their median age is 30, and
straint, the median of a group of num- (<= A1 A2) their average age is 44. The value 0 repre-
bers is precisely defined as the value of (<= A2 A3) sents a female, and 1 represents a male:
the middle number when the numbers (<= A3 A4)
#define FEMALE 0
Figure 1. Encoding statistic 2B, that the average male age is 44, with Sugar’s “if” #define MALE 1
statement.

(= (+ (if (= S1 MALE) A1 0) ; average male age = 44 Using the variable Sn to represent

(if (= S2 MALE) A2 0) the sex of person n, we then have the
(if (= S3 MALE) A3 0)
(if (= S4 MALE) A4 0) constraint:
(if (= S5 MALE) A5 0)
(if (= S6 MALE) A6 0) S1 + S2 + S3 + S4 + S5 + S6 + S7 = 3
(if (= S7 MALE) A7 0)
)
(* 3 44)) This can be represented as:

(= (+ S1 S2 S3 S4 S5 S6 S7) 3)
Figure 2. Encoding the suppressed statistic 3A, that there are between 0 and 2 single
adults.
As illustrated in Figure 1, the if
Let Mn represent the marital status of person n:
function allows a straightforward way
to create a constraint for the mean age
#define SINGLE 0 44 of male persons.
#define MARRIED 1 Table 1 translates into 164 individual
(int SINGLE_ADULT_COUNT 0 2) s-expressions extending over 457 lines.
(= (+ (if (and (= M1 SINGLE) (> A1 17)) 1 0) Sugar then translates this into a single
(if (and (= M2 SINGLE) (> A2 17)) 1 0) Boolean formula consisting of 6,755
(if (and (= M3 SINGLE) (> A3 17)) 1 0)
(if (and (= M4 SINGLE) (> A4 17)) 1 0)
variables arranged in 252,575 clauses.
(if (and (= M5 SINGLE) (> A5 17)) 1 0) This format is called the CNF (conjunc-
(if (and (= M6 SINGLE) (> A6 17)) 1 0) tive normal form) because it consists of
(if (and (= M7 SINGLE) (> A7 17)) 1 0)) many clauses that are combined using
SINGLE_ADULT_COUNT)
the Boolean AND operation.
(>= SINGLE_ADULT_COUNT 0) Interestingly, we can even create
(<= SINGLE_ADULT_COUNT 2) constraints for the suppressed data.
Statistic 3A is suppressed, so we know

Table 4. A single satisfying assignment. Table 5. Solutions without statistic 4A.

Age Sex Race Marital Status Solution #1 Solution #1 Solution #2

8 F B S 8FBS 8FBS 2FBS

18 M W S 18MWS 18MWS 12MWS
24 F W S 24FWS 24FWS 24FWM
30 M W M 30MWM 30MWM 30MBM
36 F B M 36FBM 36FBM 36FWS
66 F B M 66FBM 66FBM 72FBM
84 M B M 84MBM 84MBM 90MBM

50 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 practice

that there are 0, 1, or 2 single adults, as then any element (person) in common
no complementary suppression was re- among all of the solutions is revealed. If
quired (see Figure 2). the equations have no solution, either
Translating the constraints into CNF the set of published statistics is incon-
allows them to be solved using any solv-
er that can solve an NP-complete pro- The 2020 census is sistent with the fictional statistical agen-
cy’s claim that it is tabulated from a real
gram, such as a SAT solver, SMT (satisfi-
ability module theories) solver, or MIP
expected to count confidential database or an error was
made in that tabulation. This doesn’t
(mixed integer programming) solver. approximately 330 mean that a high-quality reconstruction
There are many such solvers, and most
take input in the so-called DIMACS file
million people living is not possible. Instead of using the pub-
lished statistics as a set of constraints,
format, which is a standardized form on about 8.5 million they can be used as inputs to a multidi-
for representing CNF equations. The
DIMACS format (named for the Center
blocks, with some mensional objective function: the sys-
tem can then be solved to a set of vari-
for Discrete Mathematics and Theoreti- inhabited blocks ables as close as possible to the
cal Computer Science at Rutgers Uni-
versity in New Jersey) was popularized having as few as a published statistics using another kind
of solver called an optimizer.
by a series of annual SAT solver compe- single person and Normally SAT, SMT, and MIP solvers
titions. One of the results of these com-
petitions was a tremendous speed-up of other blocks having will stop when they find a single satisfy-
ing solution. One of the advantages of
SAT solvers over the past two decades.
Many solvers can now solve CNF sys-
thousands. PicoSAT is that it can produce the solu-
tion universe of all possible solutions to
tems with millions of variables and the CNF problem. In this case, however,
clauses in just a few minutes, although there is a single satisfying assignment
some problems do take much longer. that produces the statistics in Table 1.
Marijn Heule and Oliver Kullmann dis- That assignment is seen in Table 4.
cussed the rapid advancement and use Table 1 provides some redundant
of SAT solvers in their 2017 article, “The constraints on the solution universe:
Science of Brute Force.”7 some of the constraints can be dropped
The open source PicoSAT2 solver is while preserving a unique solution. For
able to find a solution to the CNF prob- example, dropping statistic 2A, 2B, 2C, or
lem detailed here in approximately two 2D still yields a single solution, but drop-
seconds on a 2013 MacBook Pro with a ping 2A and 2B increases the solution uni-
2.8GHz Intel i7 processor and 16GB of verse to eight satisfying solutions. All of
RAM (although the program is not lim- these solutions contain the reconstruct-
ited by RAM), while the open source Glu- ed microdata records 8FBS, 36FBM,
cose SAT solver can solve the problem in 66FBM, and 84MBM. This means that
under 0.1 seconds on the same comput- even if statistics 2A and 2B are sup-
er. The stark difference between the two pressed, we can still infer that these four
solvers shows the speed-up possible microdata records must be present.
with an improved solving algorithm. Statistical agencies have long used
Exploring the solution universe. Pico- suppression in an attempt to provide
SAT finds a satisfying assignment for the privacy to those whose attributes are
6,755 Boolean variables. After the solver present in the microdata; the statistics
runs, Sugar can translate these assign- they typically drop are those based on a
ments back into integer values of the small number of people. How effective is
constructed variables. (SMT and MIP this approach?
solvers can represent the constraints at a In Table 1, statistic 4A is an obvious
higher level of abstraction, but for our candidate for suppression—especially
purposes a SAT solver is sufficient.) given that statistics 4B, 4C, and 4D
There exists a solution universe of all have already been suppressed to avoid
the possible solutions to this set of con- an inappropriate statistical disclosure.
straints. If the solution universe con- Removing the constraints for statis-
tains a single possible solution, then the tic 4A increases the number of solu-
published statistics completely reveal tions from one to two, shown in Table 5.
the underlying confidential data—pro-
vided that noise was not added to either Defending Against a DRA
the microdata or the tabulations as a There are three approaches for defend-
disclosure-avoidance mechanism. If ing against a database reconstruction
there are multiple satisfying solutions, attack. The first is to publish less statis-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 51
practice

tical data—this is the approach taken ty, then any tabulation at the county lev-
by legacy disclosure-avoidance tech- el will be unaffected by swapping. The
niques (cell suppression, top-coding, disadvantage of swapping is that it can
and generalization). The second and have significant impact on statistics at
third approaches involve adding noise,
or randomness. Noise can be added to Statistical agencies lower levels of geography, and values that
are not swapped are unprotected.
the statistical data being tabulated or
to the results after tabulation. Each ap-
have long used Option 3. Apply noise to the published
statistics. This approach is called output
proach is considered here. suppression in an noise injection. Whereas input noise injec-
Option 1. Publish less data. Although it
might seem that publishing less statisti-
attempt to provide tion applies noise to the microdata di-
rectly, output noise injection applies out-
cal data is a reasonable defense against privacy to those put to the statistical publications. Output
the DRA, this choice may severely limit
the number of tabulations that can be
whose attributes noise injection complicates database re-
construction by eliminating naïve ap-
published. A related problem is that, are present on the proaches based on the straightforward
with even a moderately small popula-
tion, it may be computationally infea- microdata, although application of SAT solvers. Also, even if a
set of microdata is constructed that is
sible to determine when the published the statistics they mostly consistent with the published
statistics still identify a sizable frac-
tion of individuals in the population. typically drop are statistics, these microdata will be some-
what different from the original micro-
Option 2. Apply noise before tabula-
tion. This approach is called input noise
those based on data that was collected. The more noise
that was added to the tabulation, the
injection. For example, each respon- a small number more the microdata will be different.
dent’s age might be randomly altered
by a small amount. Input noise injec-
of people. How When noise is added to either the in-
put data (option 2) or the tabulation re-
tion does not prevent finding a set of effective is this sults (option 3), with all records having
microdata that is consistent with the
published statistics, but it limits the approach? equal probability of being altered, it is
possible to mathematically describe the
value of the reconstructed microdata, resulting privacy protection. This is the
since what is reconstructed is the mi- basis of differential privacy.
crodata after the noise has been added. Implications for the 2020 census.
For example, if a random offset in the The Census Bureau has announced
range of 2... + 2 is added to each record that it is adopting a noise-injection
of the census, and the reconstruction re- mechanism based on differential pri-
sults in individuals of ages (7, 17, 22, 29, vacy to provide privacy protection for
36, 66, 82) or (6, 18, 26, 31, 34, 68, 82), an the underlying microdata collected as
attacker would presumably take this part of the 2020 census. Following is
into account but would have no way of the motivation for that decision.
knowing if the true age of the youngest The protection mechanism devel-
person is 5, 6, 7, 8, or 9. Randomness oped for the 2010 census was based on
could also be applied to the sex, race, a swapping.15 The swapping technique
and marital status variables. Clearly, the was not designed to protect the under-
more noise that is added, the better pri- lying data against a DRA. Indeed, it is
vacy is protected, but the less accurate the Census Bureau’s policy that both
are the resulting statistics. Considering the swapped and the unswapped mi-
statistic 1A, input noise infusion might crodata are considered confidential.
result in a median 28... 32 and a mean The 2010 census found a total popu-
36... 40. (Note that when using differen- lation of 308,745,538. These people oc-
tial privacy, the infused noise is not cupied 10,620,683 habitable blocks.
drawn from a bounded domain but in- Each person was located in a residential
stead is typically drawn from a Laplace housing unit or institutional housing ar-
or geometric distribution.) rangement (what the Census Bureau
Swapping, the disclosure-avoidance calls “group quarters”). For each person,
approach used in the 2010 census, is a the Census Bureau tabulated the per-
kind of input noise injection. In swap- son’s location, as well as sex, age, race,
ping, some of the attributes are ex- and ethnicity, and the person’s relation-
changed, or swapped, between records. ship to the head of the household—that
The advantage of swapping is that it has is, six attributes per person, for a total of
no impact on some kinds of statistics: if approximately 1.5 billion attributes. Us-
people are swapped only within a coun- ing this data, the Census Bureau pub-

52 COMM UNICATIO NS O F THE AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 practice

lished approximately 7.7 billion linearly is ultimately only one exact solution References
independent statistics, including 2.7 when the published table is correctly tab- 1. Adam, N.R., Worthmann, J.C. Security-control
methods for statistical databases: A comparative
billion in the PL94-171 redistricting file, ulated from a real confidential database. study. ACM Computing Surveys 21, 4 (1989), 515–556;
2.8 billion in the balance of summary Restricting the number or specific types http://doi.acm.org/10.1145/76894.76895.
2. Biere, A. PicoSAT essentials. J. Satisfiability, Boolean
file 1, 2 billion in summary file 2, and 31 of queries—for example, by suppressing Modeling and Computation 4, (2008), 75–97; https://
million records in a public-use micro- results from a small number of respon- bit.ly/2QcziqW
3. Blum, A., Dwork, C., McSherry, F. Nissim, K. Practical
data sample. This results in approxi- dents—is often insufficient to prevent privacy: The SuLQ framework. In Proceedings of the
mately 25 statistics per person. Given access to indirectly identifying informa- 24th ACM SIGMOD-SIGACT-SIGART Symposium
on Principles of Database Systems, 2005, 128–138;
these numbers and the example in this tion, because the system’s refusal to an- https://dl.acm.org/citation.cfm?id=1065184.
article, it is clear that there is a theoreti- swer a “dangerous” query itself provides 4. Dinur, I., Nissim, K. Revealing information while
preserving privacy. In Proceedings of the 22nd ACM
cal possibility the national-level census the attacker with information. SIGMOD-SIGACT-SIGART Principles of Database
could be reconstructed, although tools Systems, 2003, 202–210; https://dl.acm.org/citation.
cfm?id=773173.
such as Sugar and PicoSAT are probably Conclusion 5. Dwork, C., McSherry, F., Nissim, K., Smith, A. 2006.
Calibrating noise to sensitivity in private data
not powerful enough to do so. With the dramatic improvement in analysis. In Proceedings of the 3rd Conference
To protect the privacy of census respon- both computer speeds and the efficien- on Theory of Cryptography, 2006, 265–284.
Springer-Verlag, Berlin, Heidelberg; http://dx.doi.
dents, the Census Bureau is developing a cy of SAT and other NP-hard solvers in org/10.1007/11681878_14.
privacy-protection system based on differ- the last decade, DRAs on statistical da- 6. Dwork, C., Nissim, K. Privacy-preserving datamining
on vertically partitioned databases. In Proceedings
ential privacy. This system will ensure tabases are no longer just a theoretical of the 24th International Cryptology Conference
every statistic and the corresponding mi- danger. The vast quantity of data prod- 3152, 2004, 528–544. Springer Verlag, Santa
Barbara, CA; https://bit.ly/2zKunmJ
crodata receive some amount of privacy ucts published by statistical agencies 7. Heule, M.J.H., Kullmann, O. The science of brute force.
protection, while providing that the re- each year may give a determined at- Commun. ACM 60, 8 (Aug. 2017), 70–79; http://doi.
acm.org/10.1145/3107239.
sulting statistics are sufficiently accurate tacker more than enough information 8. Kleinberg, J., Papadimitriou, C., Raghavan, P. Auditing
for their intended purpose. to reconstruct some or all of a target Boolean attributes. In Proceedings of the 19th ACM
SIGMOD-SIGACT-SIGART Symposium on Principles
This article has explained the motiva- database and breach the privacy of mil- of Database Systems, 2000, 86–91; http://doi.acm.
tion for the decision to use differential lions of people. Traditional disclosure- org/10.1145/335168.335210.
9. Kong, S., Malec, D. Cook-Levin theorem. Lecture,
privacy. Without a privacy-protection sys- avoidance techniques are not designed University of Wisconsin, 2007.
tem based on noise injection, it would be to protect against this kind of attack. 10. Marques-Silva, J., Lynce, I., Malik, S. Conflict-
driven clause learning SAT solvers. Handbook of
possible to reconstruct accurate micro- Faced with the threat of database re- Satisfiability, 131–153. IOS Press, Amsterdam,
The Netherlands, 2009.
data using only the published statistics. construction, statistical agencies have 11. McCarthy, J. Recursive functions of symbolic
By using differential privacy, we can add two choices: they can either publish expressions and their computation by machine, part I.
Commun. ACM 3, 4 (Apr. 1960), 184–195;
the minimum amount of noise neces- dramatically less information or use https://dl.acm.org/citation.cfm?id=367199.
sary to achieve the Census Bureau’s pri- some kind of noise injection. Agencies 12. Metin, H., Baarir, S., Colange, M., Kordon, F.
CDCLSym: Introducing effective symmetry
vacy requirements. A future article will can use differential privacy to deter- breaking in SAT solving. Tools and Algorithms
explain how that system works. mine the minimum amount of noise for the Construction and Analysis of Systems. D.
Beyer and M. Huisman, eds. Springer International
necessary to add, and the most effi- Publishing, 2018, 99–114; https://link.springer.com/
Related Work cient way to add that noise, in order to chapter/10.1007/978-3-319-89960-2_6.
13. Tamura, N., Taga, A., Kitagawa, S., Banbara, M.
In 2003, Irit Dinur and Kobbi Nissim4 achieve their privacy protection goals. Compiling finite linear CSP into SAT. Contraints
showed the amount of noise that must 14, 2 (2009), 254–272; https://dl.acm.org/citation.
cfm?id=1527316; http://bach.istc.kobe-u.ac.jp/sugar/.
be added to a database to prevent a re- Acknowledgments 14. Whitney, C.R. Jeanne Calment, world’s elder,
construction of the underlying data Robert Ashmead, Chris Clifton, Kobbi dies at 122. New York Times (Aug. 5, 1997);
https://nyti.ms/2kM4oFb.
is on the order of Ω(√n) where n is the Nissim, and Philip Leclerc provided ex- 15. Zayatz, L., Lucero, J., Massell, P., Ramanayake, A.
number of bits in the database. In prac- traordinarily useful comments on this Disclosure avoidance for Census 2010 and American
Community Survey five-year tabular data products.
tice, many statistical agencies do not article. Naoyuki Tamura provided invalu- Statistical Research Division, U.S. Census Bureau;
add this much noise when they release https://www.census.gov/srd/CDAR/rrs2009-10_
able help regarding the use of Sugar. ACS_5yr.pdf.
statistical tables. (In our example, each
record contains 11 bits of data, so the
Simson L. Garfinkel is the Senior Computer Scientist
confidential database has 77 bits of Related articles for Confidentiality and Data Access at the U.S. Census
information. Each statistic in Table 3 on queue.acm.org Bureau and the Chair of the Census Bureau’s Disclosure
Review Board.
can be modeled as a four-bit of count, a Go Static or Go Home
John M. Abowd is the Chief Scientist and Associate
seven-bit of median, and a seven-bit of Paul Vixie Director for Research and Methodology at the U.S. Census
mean, for a total of 18 bits; Table 3 re- https://queue.acm.org/detail. Bureau, where he serves on leave from his position as the
cfm?ref=rss&id=2721993 Edmund Ezra Day Professor of Economics, professor of
leases 126 bits of information.) Dinur information science, and member of the Department of
and Nissim’s primary finding is that Privacy, Anonymity, and Big Data in the Statistical Sciences at Cornell University, Ithaca, NY, USA.
many statistical agencies leave them- Social Sciences Christian Martindale is a senior at Duke University,
Jon P. Daries et al. Durham, NC, USA.
selves open to the risk of database
https://queue.acm.org/detail.cfm?id=2661641
reconstruction. This article demon-
strates one way to conduct that attack. Research for Practice: Private Online
Communication; Highlights in Systems
Statistical tables create the possibility Verification
of database reconstruction because they Albert Kwon, James Wilcox Copyright held by authors/owners.
form a set of constraints for which there https://queue.acm.org/detail.cfm?id=3149411 Publication rights licensed to ACM.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 53
contributed articles
DOI:10.1145/ 3241036
Intensive theoretical and experimental
The kind of causal inference seen in natural efforts toward “transfer learning,” “do-
main adaptation,” and “lifelong learn-
human thought can be “algorithmitized” to help ing”4 are reflective of this obstacle.
produce human-level machine intelligence. Another obstacle is “explainability,”
or that “machine learning models re-
BY JUDEA PEARL main mostly black boxes”26 unable to
explain the reasons behind their pre-

The Seven
dictions or recommendations, thus
eroding users’ trust and impeding di-
agnosis and repair; see Hutson8 and
Marcus.11 A third obstacle concerns the

Tools of
lack of understanding of cause-effect
connections. This hallmark of human
cognition10,23 is, in my view, a neces-
sary (though not sufficient) ingredient

Causal
for achieving human-level intelligence.
This ingredient should allow computer
systems to choreograph a parsimoni-
ous and modular representation of

Inference,
their environment, interrogate that rep-
resentation, distort it through acts of
imagination, and finally answer “What
if?” kinds of questions. Examples in-
clude interventional questions: “What

with Reflections if I make it happen?” and retrospective

or explanatory questions: “What if I had
acted differently?” or “What if my flight

on Machine
had not been late?” Such questions can-
not be articulated, let alone answered by
systems that operate in purely statistical

Learning
mode, as do most learning machines to-
day. In this article, I show that all three
obstacles can be overcome using causal
modeling tools, in particular, causal di-
agrams and their associated logic. Cen-
tral to the development of these tools
are advances in graphical and structural
models that have made counterfactuals
computationally manageable and thus
rendered causal reasoning a viable com-
THE DRAMATIC SUCCESS I n machine learning has led to
an explosion of artificial intelligence (AI) applications key insights
and increasing expectations for autonomous systems
˽˽ Data science is a two-body problem,
that exhibit human-level intelligence. These expectations connecting data and reality, including the
forces behind the data.
have, however, met with fundamental obstacles that
˽˽ Data science is the art of interpreting
cut across many application areas. One such obstacle reality in the light of data, not a mirror
is adaptability, or robustness. Machine learning
ILLUSTRATION BY VAULT49

through which data sees itself from

different angles.
researchers have noted current systems lack the ability ˽˽ The ladder of causation is the double
to recognize or react to new circumstances they have helix of causal thinking, defining what can
and cannot be learned about actions and
not been specifically programmed or trained for. about worlds that could have been.

54 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 55
contributed articles

ponent in support of strong AI. those taken in previous price-raising syntactic signature that characterizes
In the next section, I describe a situations—unless we replicate pre- the sentences admitted into that layer.
three-level hierarchy that restricts and cisely the market conditions that ex- For example, the Association layer is
governs inferences in causal reason- isted when the price reached double characterized by conditional prob-
ing. The final section summarizes how its current value. Finally, the top level ability sentences, as in P(y|x) = p, stating
traditional impediments are circum- invokes Counterfactuals, a mode of that: The probability of event Y = y, given
vented through modern tools of causal reasoning that goes back to the philos- that we observed event X = x is equal to
inference. In particular, I present seven ophers David Hume and John Stuart p. In large systems, such evidentiary
tasks that are beyond the reach of “as- Mill and that has been given comput- sentences can be computed efficiently
sociational” learning systems and have er-friendly semantics in the past two through Bayesian networks or any num-
been (and can be) accomplished only decades.1,18 A typical question in the ber of machine learning techniques.
through the tools of causal modeling. counterfactual category is: “What if I At the Intervention layer, we deal
had acted differently?” thus necessi- with sentences of the type P(y|do(x), z)
The Three-Level Causal Hierarchy tating retrospective reasoning. that denote “The probability of event Y
A useful insight brought to light I place Counterfactuals at the top = y, given that we intervene and set the
through the theory of causal models is of the hierarchy because they sub- value of X to x and subsequently observe
the classification of causal information sume interventional and association- event Z = z. Such expressions can be es-
in terms of the kind of questions each al questions. If we have a model that timated experimentally from random-
class is capable of answering. The clas- can answer counterfactual queries, ized trials or analytically using causal
sification forms a three-level hierarchy we can also answer questions about Bayesian networks.18 A child learns the
in the sense that questions at level i (i = interventions and observations. For effects of interventions through playful
1, 2, 3) can be answered only if informa- example, the interventional question: manipulation of the environment (usu-
tion from level j (j > i) is available. What will happen if we double the ally in a deterministic playground),
Figure 1 outlines the three-level hi- price? can be answered by asking the and AI planners obtain interventional
erarchy, together with the characteris- counterfactual question: What would knowledge by exercising admissible
tic questions that can be answered at happen had the price been twice its sets of actions. Interventional expres-
each level. I call the levels 1. Associa- current value? Likewise, association- sions cannot be inferred from passive
tion, 2. Intervention, and 3. Counter- al questions can be answered once observations alone, regardless of how
factual, to match their usage. I call the we answer interventional questions; big the data.
first level Association because it in- we simply ignore the action part and Finally, at the Counterfactual level,
vokes purely statistical relationships, let observations take over. The trans- we deal with expressions of the type
defined by the naked data.a For in- lation does not work in the opposite P(yx |x′,y′) that stand for “The probabil-
stance, observing a customer who buys direction. Interventional questions ity that event Y = y would be observed
toothpaste makes it more likely that cannot be answered from purely ob- had X been x, given that we actually
this customer will also buy floss; such servational information, from statis- observed X to be x′ and Y to be y′.” For
associations can be inferred directly tical data alone. No counterfactual example, the probability that Joe’s sal-
from the observed data using standard question involving retrospection can ary would be y had he finished college,
conditional probabilities and condi- be answered from purely interven- given that his actual salary is y′ and that
tional expectation.15 Questions at this tional information, as with that ac- he had only two years of college.” Such
layer, because they require no causal quired from controlled experiments; sentences can be computed only when
information, are placed at the bottom we cannot re-run an experiment on the model is based on functional rela-
level in the hierarchy. Answering them human subjects who were treated tions or structural.18
is the hallmark of current machine with a drug and see how they might This three-level hierarchy, and the
learning methods.4 The second level, behave had they not been given the formal restrictions it entails, explains
Intervention, ranks higher than Asso- drug. The hierarchy is therefore di- why machine learning systems, based
ciation because it involves not just see- rectional, with the top level being the only on associations, are prevented
ing what is but changing what we see. most powerful one. from reasoning about (novel) actions,
A typical question at this level would Counterfactuals are the building experiments, and causal explanations.b
be: What will happen if we double the blocks of scientific thinking, as well
price? Such a question cannot be an- as of legal and moral reasoning. For b One could be tempted to argue that deep
swered from sales data alone, as it in- example, in civil court, a defendant is learning is not merely “curve fitting” because
volves a change in customers’ choices considered responsible for an injury it attempts to minimize “overfit,” through, say,
sample-splitting cross-validation, as opposed
in reaction to the new pricing. These if, but for the defendant’s action, it is to maximizing “fit.” Unfortunately, the theo-
choices may differ substantially from more likely than not the injury would retical barriers that separate the three layers in
not have occurred. The computational the hierarchy tell us the nature of our objective
a Other terms used in connection with this meaning of “but for” calls for com- function does not matter. As long as our sys-
layer include “model-free,” “model-blind,” paring the real world to an alternative tem optimizes some property of the observed
“black-box,” and “data-centric”; Darwiche5 data, however noble or sophisticated, while
used “function-fitting,” as it amounts to fit-
world in which the defendant’s action making no reference to the world outside the
ting data by a complex function defined by a did not take place. data, we are back to level-1 of the hierarchy,
neural network architecture. Each layer in the hierarchy has a with all the limitations this level entails.

56 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

Questions Answered in everyday language, and modern so- These impediments have changed
with a Causal Model ciety constantly demands answers to dramatically in the past three de-
Consider the following five questions: such questions. Yet, until very recently, cades; for example, a mathemati-
˲˲ How effective is a given treatment science gave us no means even to ar- cal language has been developed for
in preventing a disease?; ticulate them, let alone answer them. managing causes and effects, ac-
˲˲ Was it the new tax break that Unlike the rules of geometry, mechan- companied by a set of tools that turn
caused our sales to go up?; ics, optics, or probabilities, the rules of causal analysis into a mathematical
˲˲ What annual health-care costs are cause and effect have been denied the game, like solving algebraic equa-
attributed to obesity?; benefits of mathematical analysis. tions or finding proofs in high-school
˲˲ Can hiring records prove an em- To appreciate the extent of this de- geometry. These tools permit scien-
ployer guilty of sex discrimination?; nial readers would likely be stunned tists to express causal questions for-
and to learn that only a few decades ago mally, codify their existing knowledge
˲˲ I am about to quit my job, but scientists were unable to write down in both diagrammatic and algebraic
should I? a mathematical equation for the ob- forms, and then leverage data to esti-
The common feature of these ques- vious fact that “Mud does not cause mate the answers. Moreover, the the-
tions concerns cause-and-effect rela- rain.” Even today, only the top echelon ory warns them when the state of ex-
tionships. We recognize them through of the scientific community can write isting knowledge or the available data
such words as “preventing,” “cause,” such an equation and formally distin- is insufficient to answer their ques-
“attributed to,” “discrimination,” and guish “mud causes rain” from “rain tions and then suggests additional
“should I.” Such words are common causes mud.” sources of knowledge or data to make
the questions answerable.
Figure 1. The causal hierarchy. Questions at level 1 can be answered only if information The development of the tools has
from level i or higher is available.
had a transformative impact on all da-
ta-intensive sciences, especially social
Level (Symbol) Typical Activity Typical Questions Examples science and epidemiology, in which
1. Association Seeing What is? How would What does a symptom causal diagrams have become a second
P(y|x) seeing X change my tell me about a disease? language.14,34 In these disciplines, caus-
belief inY? What does a survey tell al diagrams have helped scientists ex-
us about the election
results?
tract causal relations from associations
2. Intervention Doing, What if? What if I do X? What if I take aspirin,
and deconstruct paradoxes that have
P(y|do(x), z) Intervening will my headache be baffled researchers for decades.23,25
cured? What if we ban I call the mathematical framework
cigarettes? that led to this transformation “struc-
3. Counterfactuals Imagining, Why? Was it X that Was it the aspirin that tural causal models” (SCM), which con-
P(yx|x′, y′) Retrospection caused Y? What if I had stopped my headache?
acted differently? Would Kennedy be alive sists of three parts: graphical models,
had Oswald not shot structural equations, and counterfac-
him? What if I had not tual and interventional logic. Graphi-
been smoking the past
cal models serve as a language for
two years?
representing what agents know about
the world. Counterfactuals help them
articulate what they wish to know. And
Figure 2. How the SCM “inference engine” combines data with a causal model (or assump- structural equations serve to tie the two
tions) to produce answers to queries of interest.
together in a solid semantics.
Figure 2 illustrates the operation
Inputs Outputs of SCM in the form of an inference
engine. The engine accepts three in-
Estimand puts—Assumptions, Queries, and
Query (Recipe for ES Data—and produces three outputs—
answering the query)
Estimand, Estimate, and Fit indices.

Figure 3. Graphical model depicting

causal assumptions about three variables;
Assumptions Estimate
ES the task is to estimate the causal effect
(Graphical model) (Answer to query)
of X on Y from non-experimental data on
{X, Y, Z}.

Z
Data Fit Indices F

X Y

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 57
contributed articles

The Estimand (ES) is a mathematical lack testable implications. Therefore, with the available data and, if not, iden-
formula that, based on the Assump- the veracity of the resultant estimate tify those that need repair.
tions, provides a recipe for answering must lean entirely on the assumptions Advances in graphical models have
the Query from any hypothetical data, encoded in the arrows of Figure 3, so made compact encoding feasible. Their
whenever it is available. After receiving neither refutation nor corroboration transparency stems naturally from the
the data, the engine uses the Estimand can be obtained from the data.c fact that all assumptions are encoded
to produce an actual Estimate (ÊS) for The same procedure applies to qualitatively in graphical form, mirror-
the answer, along with statistical es- more sophisticated queries, as in, say, ing the way researchers perceive cause-
timates of the confidence in that an- the counterfactual query Q = P(yx |x′,y′) effect relationships in the domain;
swer, reflecting the limited size of the discussed earlier. We may also permit judgments of counterfactual or statis-
dataset, as well as possible measure- some of the data to arrive from con- tical dependencies are not required,
ment errors or missing data. Finally, trolled experiments that would take since such dependencies can be read
the engine produces a list of “fit indi- the form P(V|do(W)) in case W is the off the structure of the graph.18 Test-
ces” that measure how compatible the controlled variable. The role of the Es- ability is facilitated through a graphical
data is with the Assumptions conveyed timand would remain that of convert- criterion called d-separation that pro-
by the model. ing the Query into the syntactic form vides the fundamental connection be-
To exemplify these operations, as- involving the available data and then tween causes and probabilities. It tells
sume our Query stands for the causal guiding the choice of the estimation us, for any given pattern of paths in the
effect of X (taking a drug) on Y (re- technique to ensure unbiased esti- model, what pattern of dependencies
covery), written as Q = P(Y|do(X)). mates. The conversion task is not al- we should expect to find in the data.15
Let the modeling assumptions be ways feasible, in which case the Query Tool 2. Do-calculus and the control
encoded (see Figure 3), where Z is a is declared “non-identifiable,” and the of confounding. Confounding, or the
third variable (say, Gender) affecting engine should exit with FAILURE. For- presence of unobserved causes of two
both X and Y. Finally, let the data be tunately, efficient and complete algo- or more variables, long considered
sampled at random from a joint dis- rithms have been developed to decide the major obstacle to drawing causal
tribution P(X, Y, Z). The Estimand identifiability and produce Estimands inference from data, has been demys-
(ES) derived by the engine (automati- for a variety of counterfactual queries tified and “deconfounded” through a
cally using Tool 2, as discussed in and a variety of data types.3,30,32 graphical criterion called “backdoor.”
the next section) will be the formula I next provide a bird’s-eye view of In particular, the task of selecting an
ES = ∑z P(Y|X, Z)P(Z), which defines a seven tasks accomplished through the appropriate set of covariates to control
procedure of estimation. It calls for SCM framework and the tools used in for confounding has been reduced to a
estimating the gender-specific con- each task and discuss the unique con- simple “roadblocks” puzzle manage-
ditional distributions P(Y|X, Z) for tribution each tool brings to the art of able through a simple algorithm.16
males and females, weighing them by automated reasoning. For models where the backdoor
the probability P(Z) of membership Tool 1. Encoding causal assump- criterion does not hold, a symbolic
in each gender, then taking the aver- tions: Transparency and testability. engine is available, called “do-calcu-
age. Note the Estimand ES defines a The task of encoding assumptions in lus,” that predicts the effect of policy
property of P(X,Y, Z) that, if properly a compact and usable form is not a interventions whenever feasible and
estimated, would provide a correct trivial matter once an analyst takes exits with failure whenever predictions
answer to our Query. The answer it- seriously the requirement of transpar- cannot be ascertained on the basis of
self, the Estimate ÊS, can be produced ency and testability.d Transparency en- the specified assumptions.3,17,30,32
through any number of techniques ables analysts to discern whether the Tool 3. The algorithmitization of
that produce a consistent estimate assumptions encoded are plausible counterfactuals. Counterfactual analy-
of ES from finite samples of P(X,Y, Z). (on scientific grounds) or whether ad- sis deals with behavior of specific in-
For example, the sample average (of ditional assumptions are warranted. dividuals identified by a distinct set
Y) over all cases satisfying the speci- Testability permits us (whether analyst of characteristics. For example, given
fied X and Z conditions would be a or machine) to determine whether the that Joe’s salary is Y = y, and that he
consistent estimate. But more-effi- assumptions encoded are compatible went X = x years to college, what would
cient estimation techniques can be Joe’s salary be had he had one more
devised to overcome data sparsity.28 c The assumptions encoded in Figure 3 are con- year of education?
This task of estimating statistical re- veyed by its missing arrows. For example, Y One of the crowning achievements
lationships from sparse data is where does not influence X or Z, X does not influence of contemporary work on causality
Z, and, most important, Z is the only variable
deep learning techniques excel, and affecting both X and Y. That these assump-
has been to formalize counterfactual
where they are often employed.33 tions lack testable implications can be con- reasoning within the graphical rep-
Finally, the Fit Index for our example cluded directly from the fact that the graph is resentation, the very representation
in Figure 3 will be NULL; that is, after complete; that is, there exists an edge connect- researchers use to encode scientific
examining the structure of the graph in ing every pair of nodes. knowledge. Every structural equation
d Economists, for example, having chosen al-
Figure 3, the engine should conclude gebraic over graphical representations, are
model determines the “truth value” of
(using Tool 1, as discussed in the next deprived of elementary testability-detect- every counterfactual sentence. There-
section) that the assumptions encoded ing features. 21 fore, an algorithm can determine if the

58 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

probability of the sentence is estima- can be used for both for readjusting
ble from experimental or observational learned policies to circumvent envi-
studies, or a combination thereof.1,18,30 ronmental changes and for controlling
Of special interest in causal dis- disparities between nonrepresentative
course are counterfactual questions
concerning “causes of effects,” as op- Unlike the rules samples and a target population.3 It
can also be used in the context of rein-
posed to “effects of causes.” For exam-
ple, how likely it is that Joe’s swimming
of geometry, forcement learning to evaluate policies
that invoke new actions, beyond those
exercise was a necessary (or sufficient) mechanics, optics, used in training.35
cause of Joe’s death.7,20
Tool 4. Mediation analysis and the
or probabilities, Tool 6. Recovering from missing
data. Problems due to missing data
assessment of direct and indirect ef- the rules of cause plague every branch of experimental
fects. Mediation analysis concerns the
mechanisms that transmit changes
and effect science. Respondents do not answer
every item on a questionnaire, sensors
from a cause to its effects. The iden- have been denied malfunction as weather conditions
tification of such an intermediate
mechanism is essential for generat- the benefits worsen, and patients often drop from
a clinical study for unknown reasons.
ing explanations, and counterfactual of mathematical The rich literature on this problem is
analysis must be invoked to facilitate
this identification. The logic of coun- analysis. wedded to a model-free paradigm of
associational analysis and, accord-
terfactuals and their graphical repre- ingly, is severely limited to situations
sentation have spawned algorithms for where “missingness” occurs at ran-
estimating direct and indirect effects dom; that is, independent of values
from data or experiments.19,27,34 A typi- taken by other variables in the model.6
cal query computable through these al- Using causal models of the missing-
gorithms is: What fraction of the effect ness process we can now formalize
of X on Y is mediated by variable Z? the conditions under which causal
Tool 5. Adaptability, external va- and probabilistic relationships can be
lidity, and sample selection bias. The recovered from incomplete data and,
validity of every experimental study is whenever the conditions are satisfied,
challenged by disparities between the produce a consistent estimate of the
experimental and the intended imple- desired relationship.12,13
mentational setups. A machine trained Tool 7. Causal discovery. The d-sep-
in one environment cannot be ex- aration criterion described earlier en-
pected to perform well when environ- ables machines to detect and enumer-
mental conditions change, unless the ate the testable implications of a given
changes are localized and identified. causal model. This opens the possibil-
This problem, and its various mani- ity of inferring, with mild assumptions,
festations, are well-recognized by AI the set of models that are compatible
researchers, and enterprises (such as with the data and to represent this set
“domain adaptation,” “transfer learn- compactly. Systematic searches have
ing,” “life-long learning,” and “explain- been developed that, in certain circum-
able AI”)4 are just some of the subtasks stances, can prune the set of compat-
identified by researchers and funding ible models significantly to the point
agencies in an attempt to alleviate the where causal queries can be estimated
general problem of robustness. Unfor- directly from that set.9,18,24,31
tunately, the problem of robustness, Alternatively, Shimizu et al.29 pro-
in its broadest form, requires a causal posed a method for discovering caus-
model of the environment and cannot al directionality based on functional
be properly addressed at the level of As- decomposition.24 The idea is that in a
sociation. Associations alone cannot linear model X → Y with non-Gaussian
identify the mechanisms responsible noise, P(y) is a convolution of two non-
for the changes that occurred,22 the Gaussian distributions and would be,
reason being that surface changes in figuratively speaking, “more Gaussian”
observed associations do not uniquely than P(x). The relation of “more Gauss-
identify the underlying mechanism ian than” can be given precise numeri-
responsible for the change. The do- cal measure and used to infer direc-
calculus discussed earlier now offers a tionality of certain arrows.
complete methodology for overcoming Tian and Pearl32 developed yet
bias due to environmental changes. It another method of causal discovery

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 59
contributed articles

based on the detection of “shocks,” and effect and, leveraging this capabil- 15. Pearl, J. Probabilistic Reasoning in Intelligent
Systems. Morgan Kaufmann, San Mateo, CA, 1988.
or spontaneous local changes in the ity, to become the dominant paradigm 16. Pearl, J. Comment: Graphical models, causality, and
environment that act like “nature’s in- of next-generation AI. intervention. Statistical Science 8, 3 (1993), 266–269.
17. Pearl, J. Causal diagrams for empirical research.
terventions,” and unveil causal direc- Biometrika 82, 4 (Dec. 1995), 669–710.
tionality toward the consequences of Acknowledgments 18. Pearl, J. Causality: Models, Reasoning, and Inference.
Cambridge University Press, New York, 2000; Second
those shocks. This research was supported in Edition, 2009.
part by grants from the Defense Ad- 19. Pearl, J. Direct and indirect effects. In Proceedings
of the 17th Conference on Uncertainty in Artificial
Conclusion vanced Research Projects Agency Intelligence (Seattle, WA, Aug. 2–5). Morgan
Kaufmann, San Francisco, CA, 2001, 411–420.
I have argued that causal reasoning is [#W911NF-16-057], National Science 20. Pearl, J. Causes of effects and effects of causes.
an indispensable component of hu- Foundation [#IIS-1302448, #IIS- Journal of Sociological Methods and Research 44, 1
(2015a), 149–164.
man thought that should be formalized 1527490, and #IIS-1704932], and 21. Pearl, J. Trygve Haavelmo and the emergence of
and algorithmitized toward achieving Office of Naval Research [#N00014- causal calculus. Econometric Theory 31, 1 (2015b),
152–179; special issue on Haavelmo centennial
human-level machine intelligence. I 17-S-B001]. The article benefited sub- 22. Pearl, J. and Bareinboim, E. External validity: From
have explicated some of the impedi- stantially from comments by the anon- do-calculus to transportability across populations.
Statistical Science 29, 4 (2014), 579–595.
ments toward that goal in the form of ymous reviewers and conversations 23. Pearl, J. and Mackenzie, D. The Book of Why: The New
a three-level hierarchy and showed that with Adnan Darwiche of the University Science of Cause and Effect. Basic Books, New York, 2018.
24. Peters, J., Janzing, D. and Schölkopf, B. Elements
inference to level 2 and level 3 requires of California, Los Angeles. of Causal Inference: Foundations and Learning
a causal model of one’s environment. Algorithms. MIT Press, Cambridge, MA, 2017.
25. Porta, M. The deconstruction of paradoxes in
I have described seven cognitive tasks References epidemiology. OUPblog, Oct. 17, 2014; https://blog.oup.
1. Balke, A. and Pearl, J. Probabilistic evaluation of com/2014/10/deconstruction-paradoxes-sociology-
that require tools from these two levels counterfactual queries. In Proceedings of the 12th epidemiology/
of inference and demonstrated how National Conference on Artificial Intelligence (Seattle, 26. Ribeiro, M.T., Singh, S., and Guestrin, C. Why should I
WA, July 31–Aug. 4). MIT Press, Menlo Park, CA, trust you?: Explaining the predictions of any classifier.
they can be accomplished in the SCM 1994, 230–237. In Proceedings of the 22nd ACM SIGKDD International
framework. 2. Bareinboim, E. and Pearl, J. Causal inference by Conference on Knowledge Discovery and Data Mining
surrogate experiments: z-identifiability. In Proceedings (San Francisco, CA, Aug. 13–17). ACM Press, New
It is important for researchers to of the 28th Conference on Uncertainty in Artificial York, 2016, 1135–1144.
note that the models used in accom- Intelligence, N. de Freitas and K. Murphy, Eds. 27. Robins, J.M. and Greenland, S. Identifiability and
(Catalina Island, CA, Aug. 14–18). AUAI Press, exchangeability for direct and indirect effects.
plishing these tasks are structural Corvallis, OR, 2012, 113–120. Epidemiology 3, 2 (Mar. 1992), 143–155.
3. Bareinboim, E. and Pearl, J. Causal inference and
(or conceptual) and require no com- the data-fusion problem. Proceedings of the National
28. Rosenbaum, P. and Rubin, D. The central role of
propensity score in observational studies for causal
mitment to a particular form of the Academy of Sciences 113, 27 (2016), 7345–7352. effects. Biometrika 70, 1 (Apr. 1983), 41–55.
4. Chen, Z. and Liu, B. Lifelong Machine Learning. Morgan
distributions involved. On the other and Claypool Publishers, San Rafael, CA, 2016.
29. Shimizu, S., Hoyer, P.O., Hyvärinen, A., and Kerminen,
A.J. A linear non-Gaussian acyclic model for causal
hand, the validity of all inferences de- 5. Darwiche, A. Human-Level Intelligence or Animal-Like discovery. Journal of the Machine Learning Research 7
Abilities? Technical Report. Department of Computer
pends critically on the veracity of the Science, University of California, Los Angeles, CA,
(Oct. 2006), 2003–2030.
30. Shpitser, I. and Pearl, J. Complete identification
assumed structure. If the true struc- 2017; https://arxiv.org/pdf/1707.04327.pdf methods for the causal hierarchy. Journal of Machine
6. Graham, J. Missing Data: Analysis and Design
ture differs from the one assumed, (Statistics for Social and Behavioral Sciences).
Learning Research 9 (2008), 1941–1979.
31. Spirtes, P., Glymour, C.N., and Scheines, R. Causation,
and the data fits both equally well, Springer, 2012. Prediction, and Search, Second Edition. MIT Press,
7. Halpern, J.H. and Pearl, J. Causes and explanations: Cambridge, MA, 2000.
substantial errors may result that A structural-model approach: Part I: Causes. British 32. Tian, J. and Pearl, J. A general identification condition
can sometimes be assessed through a Journal of Philosophy of Science 56 (2005), 843–887. for causal effects. In Proceedings of the 18th National
8. Hutson, M. AI researchers allege that machine Conference on Artificial Intelligence (Edmonton, AB,
sensitivity analysis. learning is alchemy. Science (May 3, 2018); https:// Canada, July 28–Aug. 1). AAAI Press/MIT Press,
It is also important for them to keep www.sciencemag.org/news/2018/05/ai-researchers- Menlo Park, CA, 2002, 567–573.
allege-machine-learning-alchemy 33. van der Laan, M.J. and Rose, S. Targeted Learning:
in mind that the theoretical limitations 9. Jaber, A., Zhang, J.J., and Bareinboim, E. Causal Causal Inference for Observational and Experimental
of model-free machine learning do not identification under Markov equivalence. In Data. Springer, New York, 2011.
Proceedings of the 34th Conference on Uncertainty in 34. VanderWeele, T.J. Explanation in Causal Inference:
apply to tasks of prediction, diagnosis, Artificial Intelligence, A. Globerson and R. Silva, Eds. Methods for Mediation and Interaction. Oxford
(Monterey, CA, Aug. 6–10). AUAI Press, Corvallis, OR,
and recognition, where interventions 2018, 978–987.
University Press, New York, 2015.
35. Zhang, J. and Bareinboim, E. Transfer learning
and counterfactuals assume a second- 10. Lake, B.M., Salakhutdinov, R., and Tenenbaum, J.B. in multi-armed bandits: A causal approach. In
Human-level concept learning through probabilistic
ary role. program induction. Science 350, 6266 (Dec. 2015),
Proceedings of the 26th International Joint Conference
on Artificial Intelligence (Melbourne, Australia,
However, the model-assisted meth- 1332–1338. Aug. 19–25). AAAI Press, Menlo Park, CA, 2017,
11. Marcus, G. Deep Learning: A Critical Appraisal.
ods by which these limitations are cir- Technical Report. Departments of Psychology and
1340–1346.
cumvented can nevertheless be trans- Neural Science, New York University, New York, 2018;
https://arxiv.org/pdf/1801.00631.pdf Judea Pearl ([email protected]) is a professor of
ported to other machine learning tasks 12. Mohan, K. and Pearl, J. Graphical Models for computer science and statistics and director of the
where problems of opacity, robust- Processing Missing Data. Technical Report R-473. Cognitive Systems Laboratory at the University of
Department of Computer Science, University of California, Los Angeles, USA.
ness, explainability, and missing data California, Los Angeles, CA, 2018; forthcoming,
are critical. Moreover, given the trans- Journal of American Statistical Association; http://ftp.
cs.ucla.edu/pub/stat_ser/r473.pdf
formative impact that causal model- 13. Mohan, K., Pearl, J., and Tian, J. Graphical models Copyright held by author.
ing has had on the social and health for inference with missing data. In Advances in
Neural Information Processing Systems 26, C.J.C.
sciences,14,25,34 it is only natural to ex- Burges, L. Bottou, M. Welling, Z. Ghahramani, and
pect a similar transformation to sweep K.Q. Weinberger, Eds. Curran Associates, Inc., Red
Hook, NY, 2013, 1277–1285; http://papers.nips.cc/
through machine learning technology paper/4899-graphical-models-for-inference-with-
missing-data.pdf
once it is guided by provisional mod- 14. Morgan, S.L. and Winship, C. Counterfactuals and Watch the author discuss
els of reality. I expect this symbiosis to Causal Inference: Methods and Principles for Social this work in the exclusive
Research (Analytical Methods for Social Research), Communications video.
yield systems that communicate with Second Edition. Cambridge University Press, New https://cacm.acm.org/videos/the-
users in their native language of cause York, 2015. seven-tools-of-causal-inference

60 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 DOI:10.1145 / 3 2 41 9 79

Metamorphic testing can test untestable

software, detecting fatal errors in autonomous
vehicles’ onboard computer systems.
BY ZHI QUAN ZHOU AND LIQUN SUN

Metamorphic
Testing
of Driverless
Cars

Elaine Herzberg became the first

O N MARC H 1 8 , 2 0 1 8 ,
pedestrian in the world to be killed by an autonomous
vehicle after being hit by a self-driving Uber SUV in
Tempe, AZ, at about 10 p.m. Video released by the local
police department showed the self-driving Volvo XC90
did not appear to see Herzberg, as it did not slow down
or alter course, even though she was and all of our customers keep this part
visible in front of the vehicle prior to to themselves”15 ... and “Our LiDAR can
impact. Subsequently, automotive see perfectly well in the dark, as well as
engineering experts raised questions
about Uber’s LiDAR technology.12 Li- key insights
DAR, or “light detection and ranging,”
uses pulsed laser light to enable a self- ˽˽ Many software systems (such as AI
systems and those that control self-
driving car to see its surroundings hun- driving vehicles) are difficult to test
dreds of feet away. using conventional approaches and are
Velodyne, the supplier of the Uber known as “untestable software.”
vehicle’s LiDAR technology, said, “Our ˽˽ Metamorphic testing can test untestable
LiDAR is capable of clearly imaging software in a very cost-effective way,
Elaine and her bicycle in this situation. using a perspective not previously used
by conventional approaches.
However, our LiDAR does not make the
decision to put on the brakes or get ˽˽ We detected fatal software faults in
the LiDAR obstacle-perception module
out of her way” ... “We know absolutely
of self-driving cars and reported the
nothing about the engineering of their alarming results eight days before Uber’s
[Uber’s] part ... It is a proprietary secret, deadly crash in Tempe, AZ, in March 2018.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 61
contributed articles

it sees in daylight, producing millions equately tested software can have seri- challenging. While positive testing
of points of information. However, it is ous consequences.22 Software testing focuses on ensuring a program does
up to the rest of the system to interpret is, however, fundamentally challenged what it is supposed to do for normal
and use the data to make decisions. We by the “oracle problem.” An oracle is a input, negative testing serves to ensure
do not know how the Uber system of de- mechanism testers use to determine the program does not do what it is not
cision making works.”11 whether the outcomes of test-case ex- supposed to do when the input is un-
ecutions are correct.2,24 Most software- expected, normally involving random
Question Concerning testing techniques assume an oracle factors or events. Resource constraints
Every Human Life exists. However, this assumption does and deadline pressures often result in
Regardless of investigation outcomes, not always hold when testing complex development organizations skipping
this Uber fatal accident raised a serious applications. This is thus the oracle negative testing, potentially allowing
question about the perception capabil- problem, a situation where an oracle safety and security issues to persist
ity of self-driving cars: Are there situa- is unavailable or too expensive to be into the released software.5,22
tions where a driverless car’s onboard applied. For example, when a software In the context of negative software
computer system could incorrectly engineer is testing a compiler, deter- testing for autonomous vehicles (if at-
“interpret and use” the data sent from mining the equivalence between the tempted by the development organiza-
a sensor (such as a LiDAR sensor), mak- source code and the compiler-gener- tion), how can the tester identify the
ing the car unable to detect a pedes- ated object program is difficult. When conditions under which the vehicle
trian or obstacle in the roadway? This testing a Web search engine, the tester could potentially do something wrong,
question is not specific to Uber cars but finds it very difficult to assess the com- as in, say, unintentionally striking a
is general enough to cover all types of pleteness of the search results. pedestrian? To a certain degree, tools
autonomous vehicles, and the answer To achieve a high standard of test- called “fuzzers” could help perform
concerns every human life. Unfortu- ing, the tester needs to generate, exe- this kind of negative software testing.
nately, our conclusion is affirmative. cute, and verify a large number of tests. During “fuzzing,” or “fuzz testing,” the
Even though we could not access the These tasks can hardly be done without fuzzer generates a random or semi-ran-
Uber system, we have managed to test test automation. For testing self-driving dom input and feeds it into the system
Baidu Apollo, a well-known real-world vehicles, constructing a fully automat- under test, hoping to crash the system
self-driving software system control- ed test oracle is especially difficult. Al- or cause it to misbehave.22 However,
ling many autonomous vehicles on the though in some situations the human the oracle problem makes verification
road today (http://apollo.auto). Using tester can serve as an oracle to verify the of the fuzz test results (outputs for mil-
a novel metamorphic testing method, vehicle’s behavior, manual monitor- lions of random inputs) extremely dif-
we have detected critical software er- ing is expensive and error-prone. In the ficult, if not impossible.5 In fuzzing,
rors that could cause the Apollo per- Uber accident, for example, the safety the tester thus looks only for software
ception module to misinterpret the driver performed no safety monitoring, crashes (such as aborts and hangs).
point cloud data sent from the LiDAR and because “humans monitoring an This limitation means not only huge
sensor, making some pedestrians and automated system are likely to become numbers of test cases might need to be
obstacles undetectable. The Apollo bored and disengaged,” such testing is run before a crash but also that logic er-
system uses Velodyne’s HDL64E LiDAR “particularly dangerous.”12 rors, which do not crash the system but
sensor,1 exactly the same type of LiDAR The oracle problem is also reflected instead produce incorrect output, can-
involved in the Uber accident.16 in the difficulty of creating detailed not be detected.5 For example, fuzzing
We reported this issue to the Baidu system specifications against which cannot detect the error when a calcula-
Apollo self-driving car team on March the autonomous car’s behavior can be tor returns “1 + 1 = 3.” Neither can sim-
10, 2018, MST (UTC -7), eight days be- checked, as it essentially involves rec- ple fuzzing detect misinterpretation of
fore the Uber accident. Our bug report reating the logic of a human driver’s LiDAR data.
was logged as issue #3341 (https:// decision making.21 Even for highly
github.com/ApolloAuto/apollo/is- qualified human testers with full sys- Metamorphic Testing
sues/3341). We did not receive a re- tem specifications, it can still be dif- Metamorphic testing (MT)6 is a prop-
sponse from Baidu until 10:25 P.M., ficult or even impossible to determine erty-based software-testing technique
March 19, 2018, MST—24 hours af- the correctness of every behavior of an that can effectively address two fun-
ter the Uber accident. In its reply, the autonomous vehicle. For example, in a damental problems in software test-
Apollo perception team confirmed the complex road network, it is difficult for ing: the oracle problem and the auto-
error. Before presenting further details the tester to decide whether the driving mated test-case-generation problem.
of our findings, we first discuss the route selected by the autonomous car The main difference between MT and
challenges of testing complex com- is optimal.3 Likewise, it is not easy to other testing techniques is that the for-
puter systems, with a focus on software verify whether the software system has mer does not focus on the verification
testing for autonomous vehicles. correctly interpreted the huge amount of each individual output of the soft-
of point-cloud data sent from a LiDAR ware under test and can thus be per-
Testing Challenge sensor, normally at a rate of more than formed in the absence of an oracle. MT
Testing is a major approach to software one million data points per second. checks the relations among the inputs
quality assurance. Deploying inad- “Negative testing” is even more and outputs of multiple executions of

62 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

the software. Such relations are called Fraunhofer researchers looked for be- some situations. This was because the
“metamorphic relations” (MRs) and havioral differences of the drone when researchers rotated all the objects in
are necessary properties of the intend- it was flying under these different (sup- the environment, but not the sun, un-
ed program’s functionality. If, for cer- posedly equivalent) scenarios. Their expectedly causing a shadow to fall on
tain test cases, an MR is violated, then MRs required the drone should have the landing pad in some orientations,
the software must be faulty. Consider, consistent behavior, while finding that revealing issues in the drone’s vision
for example, the testing of a search in some situations the drone behaved system. The researchers solved this
engine. Suppose the tester entered a inconsistently, revealing multiple soft- with a more robust vision sensor that
search criterion C1 and the search en- ware defects. For example, one of the was less sensitive to lighting changes.
gine returned 50,000 results. It may not bugs was in the sense-and-avoid algo- Researchers from the University of
be easy to verify the accuracy and com- rithm, making the algorithm sensitive Virginia and from Columbia University
pleteness of these 50,000 results. Nev- to certain numerical values and hence tested three different deep neural net-
ertheless, an MR can be identified as misbehavior under certain conditions, work (DNN) models for autonomous
follows: The search results for C1 must causing the drone to crash. The re- driving.21 The inputs to the models
include those for C1 AND C2, where C2 searchers detected another bug after were pictures from a camera, and the
can be any additional condition (such running hundreds of tests using dif- outputs were steering angles. To verify
as a string or a filter). If the actual ferent rotations of the environment: the correctness of the outputs, the re-
search results violate this relation, the The drone had landing problems in searchers used a set of MRs based on
search engine must be at fault. Here,
the search criterion “C1 AND C2” is a Figure 1. Input pictures used in a metamorphic test revealing inconsistent and erroneous
behavior of a DNN (https://deeplearningtest.github.io/deepTest).21
new test case that can be constructed
automatically based on the source test
case “C1” (whereas C2 could be gener-
ated automatically and randomly) and
the satisfaction of the MR can also be
verified automatically through a test-
ing program.
A growing body of research from
both industry and academia has ex-
amined the MT concept and proved it
highly effective.4,7–9,13,18–20 The increas-
ing interest in MT is not only due to it
being able to address the oracle prob-
lem and automate test generation but (a) original (b) with added rain
also the perspective of MT has seldom
been used in previous testing strate-
gies and, as a result, has detected a Figure 2. MT detected a real-life bug in Google Maps;3,20 the origin and destination of the route
were almost at the same point, but Google Maps generated an “optimal” route of 4.9 miles.
large number of previously unknown
faults in many mature systems (such as
the GCC and LLVM compilers),10,17 the
Web search engines Google and Bing,25
and code obfuscators.5

MT for Testing
Autonomous Machinery
Several research groups have begun to
apply MT to alleviate the difficulties in
testing autonomous systems, yielding
encouraging results.
For example, researchers from the
Fraunhofer Center for Experimental
Software Engineering in College Park,
MD, developed a simulated environ-
ment in which the control software of
autonomous drones was tested using
MT.14 The MRs made use of geomet-
ric transformations (such as rotation
and translation) in combination with
different formations of obstacles in
the flying scenarios of the drone. The

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 63
contributed articles

Figure 3. Results of experiments by category, visualized as 100% stacked column charts.

Each vertical column represents the comparisons of 1,000 pairs of results, where the blue subsection implies MR1 violations.
Each blue subsection is labeled with the actual number of |O| > |O′| cases (out of the 1,000 pairs).

100% 100% 100% 100% 100%

90% 90% 90% 90% 90%

80% 80% 80% 80% 80%

70% 70% 70% 70% 70%

60% 60% 60% 60% 60%

50% 50% 50% 50% 50%

40% 40% 40% 40% 40%

30% 30% 30% 30% 30%

20% 20% 20% 20% 20%

335 303
10% 10% 10% 10% 10%
121 116
27 25 18 61 15 47 7 13
0% 0% 0% 3 0% 3 0% 1
n = 10

n = 100

n = 1000

n = 10

n = 100

n = 1000

n = 10

n = 100

n = 1000

n = 10

n = 100

n = 1000

n = 10

n = 100

n = 1000
(a) total (b) car (c) pedestrian (d) cyclist (e) unknown

image transformations. The MRs said to navigate autonomous cars,3 iden- as a camera and LiDAR), they studied
the car should behave similarly under tifying a set of MRs for the navigation only the ordinary two-dimensional pic-
variations of the same input (such as system. For example, one of the MRs ture input from a camera, and the out-
the same scene under different light- was “that a restrictive condition such put considered was the steering angle
ing conditions). Using these MRs, they as avoiding tolls should not result in a calculated by the DNN model based on
generated realistic synthetic images more optimal route.” With these MRs, the input picture. The software tested
based on seed images. These synthetic we detected a large number of real-life was not real-life systems controlling au-
images mimic real-world phenomena bugs in Google Maps, one shown in Fig- tonomous cars but rather deep learn-
(such as camera lens distortions and ure 2; the origin and destination points ing models that “won top positions in
different weather conditions). Using were almost at the same location, but the Udacity self-driving challenge.”
MT, together with a notion of neuron Google Maps returned a route of 4.9 Unlike their work, this article re-
coverage (the number of neurons ac- miles, which was obviously unaccept- ports our testing of the real-life Apollo
tivated), the researchers found a large able. system, which is the onboard software
number of “corner case” inputs lead- in Baidu’s self-driving vehicles. Baidu
ing to erroneous behavior in three LiDAR-Data-Interpretation Errors also claims users can directly use the
DNN models. Figure 1 is an example, The scope of the study conducted by software to build their own autono-
whereby the original trajectory (the the researchers from the University of mous cars (http://apollo.auto/coopera-
blue arrow) and the second trajectory Virginia and from Columbia Universi- tion/detail_en_01.html).
(the red arrow) are inconsistent, reveal- ty21 was limited to DNN models. A DNN Software under test. More specifi-
ing dangerous erroneous behavior of model is only part of the perception cally, we tested Apollo’s perception
the DNN model under test. module of a self-driving car’s software module (http://apollo.auto/platform/
We recently applied MT to test system. Moreover, while a DNN can perception.html), which has two key
Google Maps services that can be used take input from different sensors (such components: “three-dimensional ob-
stacle perception” and “traffic-light
Test results; for each value of n, we compared 1,000 pairs of results. perception.” We tested the three-
dimensional obstacle perception
number of added points (n) |O| > |O'| |O| = |O'| |O| < |O'|
component, which itself consisted of
10 27 951 22
three subsystems: “LiDAR obstacle
perception,” “RADAR obstacle percep-
100 121 781 98
tion,” and “obstacle results fusion.”
1,000 335 533 132
Although our testing method is appli-
cable to all three subsystems, we tested

64 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

only the first, LiDAR obstacle percep- the ROI for subsequent processing; MinBox builder (tested in our experi-
tion (or LOP), which takes the three- Convolutional neural networks seg- ments). This object builder component
dimensional point cloud data as input, mentation (tested in our experiments). establishes a bounding box for the de-
as generated by Velodyne’s HDL64E After identifying the surrounding en- tected obstacles;
LiDAR sensor. vironment using the HDMap ROI fil- HM object tracker (not tested in our
LOP resolves the raw point-cloud ter, the Apollo software obtains the experiments). This tracker is designed
data using the following pipeline, as filtered point cloud that includes only to track obstacles detected in the seg-
excerpted from the Apollo website the points inside the ROI—the drivable mentation step; and
(https://github.com/ApolloAuto/apollo/ road and junction areas. Most of the Sequential type fusion (not tested in
blob/master/docs/specs/3d_obstacle_ background obstacles (such as build- our experiments). To smooth the ob-
perception.md): ings and trees along the road) have stacle type and reduce the type switch
HDMap region of interest filter (test- been removed, and the point cloud in- over the entire trajectory, Apollo uses a
ed in our experiments). The region of side the ROI is fed into the “segmenta- sequential type fusion algorithm.
interest (ROI) specifies the drivable tion” module. This process detects and Our software-testing experiments
area, including road surfaces and segments out foreground obstacles involved the first, second, and third
junctions that are retrieved from (such as cars, trucks, bicycles, and pe- but not the fourth and fifth features,
a high-resolution (HD) map. The destrians). Apollo uses a deep con- because the first three are the most
HDMap ROI filter processes LiDAR volutional neural network (CNN) for critical and fundamental.
points that are outside the ROI, re- accurate obstacle detection and seg- Our testing method: MT in com-
moving background objects (such as mentation. The output of this process bination with fuzzing. Based on the
buildings and trees along the road). is a set of objects corresponding to ob- Baidu specification of the HDMap ROI
What remains is the point cloud in stacles in the ROI; filter, we identified the following meta-

Figure 4. MT detected real-life fatal errors in LiDAR point-cloud data interpretation in the Apollo “perception” module: three missing cars
and one missing pedestrian.

(a) Original: 101,676 LiDAR data points; the green (c) Original: 104,251 LiDAR data points; the small
boxes were generated by the Apollo system to pink mark was generated by the Apollo system to
represent the detected cars. represent a detected pedestrian.

(b) After adding 1,000 random data points outside (d) After adding only 10 random data points out-
the ROI, the three cars inside the ROI could no side the ROI, the pedestrian inside the ROI could
longer be detected. no longer be detected.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 65
contributed articles

morphic relation, whereby the soft- ditional points into the three-dimen-
ware under test is the LiDAR obstacle sional space outside the ROI of t; we
perception (LOP) subsystem of Apollo, determined the value of the z coordi-
A and A′ represent two inputs to LOP, nate of each point by choosing a ran-
and O and O′ represent LOP’s outputs
for A and A′, respectively. As an extreme dom value between the minimum and
maximum z-coordinate values of all
MR1. Let A and A′ be two frames of
three-dimensional point cloud data
example, a small points in t. Using a similar approach,
we also generated a d value—the re-
that are identical except that A′ in- insect 100 meters flected intensity of the laser—for each
cludes a small number of additional
LiDAR data points randomly scattered
away — outside added point. We then ran the LOP soft-
ware for t′, producing O′, the set of de-
in regions outside the ROI. Also let O the ROI  — should tected obstacles. Finally, we compared
and O′ be the sets of obstacles identi-
fied by LOP for A and A′, respectively
not interfere with O and O′. We conducted three series of
experiments: for n = 10, 100, and 1,000.
(LOP identifies only obstacles within the detection We thus ran the LOP software for a to-
the ROI). The following relation must
then hold: O ⊆ O′. of a pedestrian in tal of (1,000 + 1,000) × 3 = 6,000 times,
processing 3,000 source test cases and
In MR1, the additional LiDAR data front of the vehicle. 3,000 follow-up test cases.
points in A′ could represent small par- Test results. In our experiments, for
ticles in the air or just some noise from ease of implementation of MR1, we did
the sensor, whose existence is pos- not check the subset relation O ⊆ O′
sible.23 MR1 says the existence of some but instead compared the numbers of
particles, or some noise points, or their objects contained in O and O′, denoted
combination, in the air far from the by |O| and |O′|, respectively. Note that
ROI should not cause an obstacle on O ⊆ O′ → |O|≤ |O′|; hence, the condi-
the roadway to become undetectable. tion we actually checked was less strict
As an extreme example, a small insect than MR1. That is, if |O| > |O′|, then
100 meters away — outside the ROI —  there must be something wrong, as
should not interfere with the detection one or more objects in O must be miss-
of a pedestrian in front of the vehicle. ing in O′.
This requirement is intuitively valid The results of our experiments were
and agrees with the Baidu specification quite surprising; the table here sum-
of its HDMap ROI filter. According to marizes the overall results. The viola-
the user manual for the HDL64E LiDAR tion rates (that is, cases for |O| > |O′|
sensor, it can be mounted atop the ve- out of 1,000 pairs of outputs) were 2.7%
hicle, delivering a 360° horizontal field (= 27 ÷ 1,000), 12.1% (=121÷ 1,000), and
of view and a 26.8° vertical field of view, 33.5% (= 335 ÷ 1,000), for n = 10, 100,
capturing a point cloud with a range up and 1,000, respectively. This means as
to 120 meters. few as 10 sheer random points scat-
We next describe the design of three tered in the vast three-dimensional
series of experiments to test the LOP space outside the ROI could cause the
using MR1. The Apollo Data Open Plat- driverless car to fail to detect an ob-
form (http://data.apollo.auto) provides stacle on the roadway, with 2.7% prob-
a set of “vehicle system demo data”— ability. When the number of random
sensor data collected at real scenes. We points increased to 1,000, the probabil-
downloaded the main file of this data- ity became as high as 33.5%. According
set, named demo-sensor-demo-apollo- to the HDL64E user manual, the LiDAR
1.5.bag (8.93GB). This file included sensor generates more than one mil-
point cloud data collected by Baidu lion data points per second, and each
engineers using the Velodyne LiDAR frame of point cloud data used in our
sensor on the morning of September 6, experiments normally contained more
2017. In each series of experiments, we than 100,000 data points. The random
first randomly extracted 1,000 frames points we added to the point cloud
of the point cloud data; we call each frames were thus trivial.
such frame a “source test case.” For The LOP software in our experi-
each source test case t, we ran the LOP ments categorized the detected ob-
software to identify its ROI and gener- stacles into four types: detected car,
ate O, the set of detected obstacles for pedestrian, cyclist, and unknown, as
t. We then constructed a follow-up test “depicted by bounding boxes in green,
case t′ by randomly scattering n ad- pink, blue and purple respectively”

66 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

(http://apollo.auto/platform/perception. unknown fatal errors in the real-life Proceedings of the IEEE/ACM First International
Workshop on Metamorphic Testing, in conjunction
html). Figure 3b to Figure 3e summa- LiDAR obstacle perception system of with the 38th International Conference on Software
rize the test results of these categories, Baidu’s Apollo self-driving software. Engineering (Austin, TX, May 16). ACM Press, New
York, 2016.
and Figure 3a shows the overall results The scope of our study was limited 10. Le, V., Afshari, M., and Su, Z. Compiler validation via
corresponding to the Table. to LiDAR obstacle perception. Apart equivalence modulo inputs. In Proceedings of the 35th
ACM SIGPLAN Conference on Programming Language
Each vertical column in Figure 3 in- from LiDAR, an autonomous vehicle Design and Implementation (Edinburgh, U.K., June
cludes a subsection in blue, correspond- may also be equipped with radar. Ac- 9–11). ACM Press, New York, 2014, 216–226.
11. Lee, D. Sensor firm Velodyne ‘baffled’ by Uber self-
ing to MR1 violations. They are labeled cording to the Apollo website (http:// driving death. BBC News (Mar. 23, 2018); http://www.
bbc.com/news/technology-43523286
with the actual numbers of |O| > |O′| data.apollo.auto), “Radar could pre- 12. Levin, S. Uber crash shows ‘catastrophic failure’ of
cases. We observed that all these num- cisely estimate the velocity of moving self-driving technology, experts say. The Guardian
(Mar. 23, 2018); https://www.theguardian.com/
bers were greater than 0, indicating obstacles, while LiDAR point cloud technology/2018/mar/22/self-driving-car-uber-death-
critical errors in the perception of all could give a better description of ob- woman-failure-fatal-crash-arizona
13. Lindvall, M., Ganesan, D., Árdal, R., and Wiegand, R.E.
four types of obstacles: car, pedestrian, ject shape and position.” Moreover, Metamorphic model-based testing applied on NASA
cyclist, and unknown. Relatively speak- there can also be cameras, which DAT — An experience report. In Proceedings of the
37th IEEE/ACM International Conference on Software
ing, the error rate of the “car” category are particularly useful for detecting Engineering (Firenze, Italy, May 16-24). IEEE, 2015,
was greatest, followed by “pedestrian,” visual features (such as the color of 129–138.
14. Lindvall, M., Porter, A., Magnusson, G., and Schulze,
“cyclist,” and “unknown.” traffic lights). Our testing technique C. Metamorphic model-based testing of autonomous
Figure 4a and Figure 4b show a real- can be applied to radar, camera, and systems. In Proceedings of the Second IEEE/ACM
International Workshop on Metamorphic Testing, in
world example revealed by our test, other types of sensor data, as well as conjunction with the 39th International Conference on
whereby three cars inside the ROI could obstacle-fusion algorithms involving Software Engineering (Buenos Aires, Argentina, May
22). IEEE, 2017, 35–41.
not be detected after we added 1,000 multiple sensors. In future research, 15. Ohnsman, A. LiDAR maker Velodyne ‘baffled’ by
random points outside the ROI. Fig- we plan to collaborate with industry to self-driving Uber’s failure to avoid pedestrian. Forbes
(Mar. 23, 2018); https://www.forbes.com/sites/
ure 4c and Figure 4d show another ex- develop MT-based testing techniques, alanohnsman/2018/03/23/lidar-maker-velodyne-
baffled-by-self-driving-ubers-failure-to-avoid-
ample, whereby a pedestrian inside the combined with existing verification pedestrian
ROI (the Apollo system depicted this and validation methods, to make driv- 16. Posky, M. LiDAR supplier defends hardware, blames
Uber for fatal crash. The Truth About Cars (Mar. 23,
pedestrian with the small pink mark in erless vehicles safer. 2018); http://www.thetruthaboutcars.com/2018/03/
Figure 4c) could not be detected after lidar-supplier-blames-uber/
17. Regehr, J. Finding Compiler Bugs by Removing Dead
we added only 10 random points out- Acknowledgments Code. Blog, June 20, 2014; http://blog.regehr.org/
side the ROI; as shown in Figure 4d, the This work was supported in part archives/1161
18. Segura, S., Fraser, G., Sanchez, A.B., and Ruiz-
small pink mark was missing. As men- by a linkage grant from the Austra- Cortés, A. A survey on metamorphic testing. IEEE
tioned earlier, we reported the bug to lian Research Council, project ID: Transactions on Software Engineering 42, 9 (Sept.
2016), 805–824.
the Baidu Apollo self-driving car team LP160101691. We would like to thank 19. Segura, S. and Zhou, Z.Q. Metamorphic testing:
on March 10, 2018. On March 19, 2018, Suzhou Insight Cloud Information Introduction and applications. ACM SIGSOFT
webinar, Sept. 27, 2017; https://event.on24.com/wcc/r/
the Apollo team confirmed the error by Technology Co., Ltd., for supporting 1451736/8B5B5925E82FC9807CF83C84834A6F3D
acknowledging “It might happen” and this research. 20. Segura, S. and Zhou, Z.Q. Metamorphic testing 20
years later: A hands-on introduction. In Proceedings
suggested “For cases like that, models of the 40th IEEE/ACM International Conference on
can be fine tuned using data augmen- Software Engineering (Gothenburg, Sweden, May 27–
References June 3, 2018). ACM Press, New York, 2018.
tation”; data augmentation is a tech- 1. Baidu, Inc. Apollo Reference Hardware, Mar. 2018; 21. Tian, Y., Pei, K., Jana, S., and Ray, B. DeepTest:
http://apollo.auto/platform/hardware.html Automated testing of deep neural network-driven
nique that alleviates the problem of 2. Barr, E.T., Harman, M., McMinn, P., Shahbaz, M., and autonomous cars. In Proceedings of the 40th
lack of training data in machine learn- Yoo, S. The oracle problem in software testing: A IEEE/ACM International Conference on Software
survey. IEEE Transactions on Software Engineering Engineering (Gothenburg, Sweden, May 27–June 3,
ing by inflating the training set through 41, 5 (May 2015), 507–525. 2018). ACM Press, New York, 2018.
3. Brown, J., Zhou, Z.Q., and Chow, Y.-W. Metamorphic
transformations of the existing data. testing of navigation software: A pilot study with
22. Vassilev, A. and Celi, C. Avoiding cyberspace
catastrophes through smarter testing. Computer 47,
Our failure-causing metamorphic test Google Maps. In Proceedings of the 51st Annual Hawaii 10 (Oct. 2014), 102–106.
International Conference on System Sciences (Big
cases (those with the random points) Island, HI, Jan. 3–6, 2018) 5687–5696; http://hdl.
23. Velodyne, Velodyne’s HDL-64E: A High-Definition
LiDAR Sensor for 3-D Applications, White Paper, 2007;
could thus serve this purpose. handle.net/10125/50602 https://www.velodynelidar.com/
4. Chen, T.Y., Kuo, F.-C., Liu, H., Poon, P.-L., Towey, D., Tse, 24. Zhou, Z.Q., Towey, D., Poon, P.-L., and Tse, T.H.
T.H., and Zhou, Z.Q. Metamorphic testing: A review Introduction to the special issue on test oracles.
Conclusion of challenges and opportunities. ACM Computing Journal of Systems and Software 136 (Feb. 2018), 187;
Surveys 51, 1 (Jan. 2018), 4:1–4:27.
The 2018 Uber fatal crash in Tempe, 5. Chen, T.Y., Kuo, F.-C., Ma, W., Susilo, W., Towey, D.,
https://doi.org/10.1016/j.jss.2017.08.031
25. Zhou, Z.Q., Xiang, S., and Chen, T.Y. Metamorphic
AZ, revealed the inadequacy of con- Voas, J., and Zhou, Z.Q. Metamorphic testing for testing for software quality assessment: A study
cybersecurity. Computer 49, 6 (June 2016), 48–55. of search engines. IEEE Transactions on Software
ventional testing approaches for mis- 6. Chen, T.Y., Tse, T.H., and Zhou, Z.Q. Fault-based testing Engineering 42, 3 (Mar. 2016), 264–284.
sion-critical autonomous systems. without the need of oracles. Information and Software
Technology 45, 1 (2003), 1–9.
We have shown MT can help address 7. Donaldson, A.F., Evrard, H., Lascu, A., and Thomson,
Zhi Quan Zhou ([email protected]) is an associate
this limitation and enable automatic P. Automated testing of graphics shader compilers.
professor in software engineering at the School of
Proceedings of the ACM on Programming Languages 1
detection of fatal errors in self-driv- Computing and Information Technology, University of
(2017), 93:1–93:29.
Wollongong, Wollongong, NSW, Australia.
ing vehicles that operate on either 8. Jarman, D.C., Zhou, Z.Q., and Chen, T.Y. Metamorphic
testing for Adobe data analytics software. In Liqun Sun ([email protected]) is pursuing an
conventional algorithms or deep Proceedings of the IEEE/ACM Second International M.Phil. degree in computer science at the University of
Workshop on Metamorphic Testing, in conjunction
learning models. We have introduced with the 39th International Conference on Software
Wollongong, Wollongong, NSW, Australia, and a software
engineer at Itree, Wollongong, Australia.
an innovative testing strategy that Engineering (Buenos Aires, Argentina, May 22). IEEE,
2017. 21–27; https://doi.org/10.1109/MET.2017.1
combines MT with fuzzing, reporting 9. Kanewala, U., Pullum, L.L., Segura, S., Towey, D., and
how we used it to detect previously Zhou, Z.Q. Message from the workshop chairs. In © 2019 ACM 0001-0782/19/3

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 67
contributed articles
DOI:10.1145/ 3231588
enriched data, and dynamically generat-
The system transforms raw telemetric data ing informative and engaging data-driv-
en blogs aimed at the general public.
into engaging and informative blog texts Geospatial data is ubiquitous in to-
readily understood by all. day’s world, with vast quantities of
telemetric data collected by GPS re-
BY ADVAITH SIDDHARTHAN, KAPILA PONNAMPERUMA, ceivers on, for example, smartphones
CHRIS MELLISH, CHEN ZENG, DANIEL HEPTINSTALL, and automotive black boxes. Adop-
ANNIE ROBINSON, STUART BENN, AND RENÉ VAN DER WAL tion of telemetry has been particular-
ly striking in the ecological realm,

Blogging
where the widespread use of satellite
tags has greatly advanced our under-
standing of the natural world.14,23 De-
spite its increasing popularity, GPS

Birds:
telemetry involves the important
shortcoming that both the handling
and the interpretation of often large
amounts of location data is time con-

Telling Informative
suming and thus done mostly long af-
ter the data has been gathered.10,24 This
hampers fruitful use of the data in na-
ture conservation where immediate

Stories About
data analysis and interpretation are
needed to take action or communicate
to a wider audience.25,26

the Lives
The widespread availability of GPS
data, along with associated difficulties
interpreting and communicating it in

of Birds from
real time, mirrors the scenario seen with
other forms of numeric or structured
data. It should be noted that the use of

Telemetric Data
computational methods for data analy-
sis per se is hardly new; much of science
depends on statistical analysis and asso-
ciated visualization tools. However, it is
generally understood that such tools are
mediated by human operators who take
responsibility for identifying patterns in

key insights
BLOGGING BIRDS IS a novel artificial intelligence ˽˽ Summarizing environmentally enriched
satellite-tag data in the form of
program that generates creative texts to communicate informative, engaging, and fluent blogs is
telemetric data derived from satellite tags fitted to red a challenge, even for trained ecologists,
and computer-generated blogs were
kites — a medium-size bird of prey — as part of a preferred by readers.
Natural language generation, specifically
species reintroduction program in the U.K. We ˽˽
data-to-text technology, is sufficiently
address the challenge of communicating telemetric advanced to achieve more than just
factual summarization of data for
sensor data in real time by enriching it with professional use.

meteorological and cartographic data, codifying ˽˽ This development opens new avenues
for addressing societal challenges
ecological knowledge to allow creative interpretation related to communicating data
effectively and engaging the public with
of the behavior of individual birds in respect to such scientific research.

68 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 data, as well as communicating them ac- software that summarizes data as textu- defined by the Oxford Dictionary as
curately. An important but relatively re- al reports; indeed, print-media organi- “writing, typically fiction, or poetry,
cent addition to the growing field of data zations are increasingly turning to ro- which displays imagination or inven-
science is a technology called natural bo-journalism, and many routine tion (often contrasted with academic or
language generation15 that automates data-driven news stories that are time journalistic writing).”a It is frequently
the entire data pipeline to produce tex- consuming and mundane for profes- said that creativity, especially in rela-
tual reports from data, whether numeric sional journalists to write are being tion to design, requires the work to not
or structured. Originally developed to of- written entirely by computer programs. just be imaginative or inventive but also
fer decision support in the workplace, Such data-to-text applications require “appropriate,” as in Sternberg.19 In his
natural language generation has gener- accuracy and clarity first and foremost, account of writing as design, Sharples18
ated textual summaries of technical and it has been noted that for work- related the idea of appropriateness to
data for professionals, including engi- place applications consistency in lan- “constraints,” which provide the frame-
IMAGE BY AND RIJ BORYS ASSOCIAT ES/SHUT TERSTOCK

neers, nurses, and oil-rig workers,5,9,13,21 guage use is the main reason why com- work and context for creative expres-
and is increasingly mainstream. Gart- puter-generated output is preferred to sion and can be imposed either by the
ner, Inc. forecast in 2017 that 90% of text produced by humans.16 literary genre or by the conceptual
business intelligence systems will in- At the other end of the spectrum of space in which the writer is working.
corporate natural language generation computer-generated language is the Computer programs for computa-
by 2019.11 Companies like Arria discipline of computational creativity, tional creativity use static knowledge
(https://www.arria.com/), Narrative Sci- whereby computer programs attempt sources, typically manually construct-
ence (https://narrativescience.com/), to construct jokes,1 short stories,7 and
and Automated Insights (http://auto- poetry.8 Here, we use the term “creativi- a https://en.oxforddictionaries.com/definition/
matedinsights.com/) have developed ty” in the context of “creative writing,” creative_writing

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 69
contributed articles

ed, to source joke templates, narrative allowed the children to personalize ing data from these tags for
plots, story grammars, and characters. their stories by editing system output. public-engagement activities sur-
In the storytelling domain, creativity The body of work summarized ear- rounding the reintroduction initiative,
manifests itself through emergent nar- lier either generates factual reports to communicate ecological insight
ratives dynamically created through from real-world data, with creativity in- that enhances people’s understanding
the interactions of characters modeled troduced through direct human input22 of the species, and to create a positive
as intelligent agents,20 construction of or generates creative texts from formal image of the species to harness public
different narratives from the same un- representation without recourse to re- support for the reintroduction.24 RSPB
derlying plot representation,17 or the al-world data. We are unaware of any staff were themselves also keen to gain
tailoring of linguistic components to previous computer program that gen- a better understanding of the lives of
generate human-like narrative prose.3 erates creative texts from real-world reintroduced birds, particularly how
Deep neural networks have recently data without human input. Addressing they recolonized a landscape that held
been applied to the generation of poet- this gap, we describe Blogging Birds, precious few red kites for well over a
ry by predicting likely word sequences which we designed to generate creative century. They appreciated the inherent
fitting a mood or theme while also texts from data generated by satellite limitations in the data generated by the
modeling tonal and structural con- tags fitted to animals. The focal species tags and were open to imaginative in-
straints imposed by specific genres like for Blogging Birds is the red kite (Mil- terpretations of the data, so long as the
Chinese quatrains.28,29 vus milvus). This bird of prey was once behaviors being narrated were ecologi-
Earlier work exists on communicat- widespread in the U.K., but prolonged cally plausible.
ing spatiotemporal data in the form of and intense persecution led to its near These requirements allowed us an
stories22 to help children with complex extinction by the 1940s. opportunity to investigate data-driven
communication needs describe their In 1989, the Royal Society for the generation of creative texts by com-
school day to their parents. Here, mi- Protection of Birds (RSPB) started a puters, something we believe Blog-
crophone and radio frequency identifi- scheme to reintroduce the species in ging Birds is so far unique in its abili-
cation (RFID) readers were mounted on various locations across the U.K.4 In ty to achieve. The generated texts are
wheelchairs to make audio recordings one of these locations, the Black Isle creative in that they display imagina-
by teachers or interactions with RFID- near Inverness in the north of Scot- tion and inventiveness in how they in-
tagged locations, people, and objects. land, several birds were equipped with terpret and report data under con-
In this work, the computer-generated solar-powered satellite tags. Limited straints imposed by kite ecology and
text was restricted to a factual summary human resources meant the tags were the data itself. We sought to answer
of interactions recorded by RFID, while used mainly to locate birds that had two research questions through ex-
creativity was incorporated either died to foster detection and prosecu- periments: Would the computer-gen-
through voice recordings provided by tion of possible wildlife crimes. How- erated blogs be well perceived by
teachers or through functionality that ever, it was felt there was scope for us- readers in comparison to blogs writ-
ten by humans based on the same
Figure 1. System architecture. data?; and How important would the
creative narration of ecological in-
NLG Architecture sight be to readers’ perceptions of
Satellite Fixes Sentence Realiser computer-generated blogs?

Data Augmentation Data Analysis Micro Planner The Blogging Birds System
The starting aim of Blogging Birds was
Habitat Data Home Range Document Planner
Calculations to bring satellite-tagged individuals of
Text Planner

Ecological Domain Model

Terrain Data
a species (such as the red kite) “to life”
Detection of
Excursions
by constructing ecologically sound nar-
Weather Data Pattern Detection ratives describing their movements.
Conservationists fitted satellite tags—
PTT-100 22-gram Solar Argos/GPS

Table 1. Example augmented data used for pattern mining for one day of one week for a particular bird.

Wind
Speed Distance
Day Temp Visibility (miles Flown
of Week Hour Habitat Weather (C°) (meters) per hour) Location Features (miles) Other Kites
Friday 08:00 Coniferous woodland Overcast 13.0 24,000 3 East Croachy Loch Ruthven 0
Friday 10:00 Rough grassland Heavy rain 13.9 5,000 2 Torness Loch Ruthven 4
Friday 12:00 Rough grassland Heavy rain 16.0 3,600 2 Torness Loch Ruthven 2
Friday 14:00 Rough grassland Heavy rain 16.0 3,600 2 Torness Loch Ruthven 2 Merida
Friday 16:00 Improved grassland Overcast 18.4 45,000 2 Torness 3

70 COMMUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

PTT—to red kite chicks immediately Figure 2. Prototypical red kite movement patterns: C1 is small and constricted movements
prior to fledging, using a backpack har- within an area of intense usage (home range); C2 is exploratory movement from a home
ness designed for minimal hindrance. range (round trip); and C3 is direct movements between separate home ranges.
The tags were solar-powered and pro-
grammed to record up to six location
fixes per day. Although this maximum
could indeed be achieved during the
summer months, a lack of sunlight in
Scotland meant fewer fixes (a maxi-
mum of four per day) were obtained C1 C2 C3
in spring and autumn and only the oc-
casional fix during winter. To further
preserve battery power, data was trans- Figure 3. Calculated home ranges (gray polygons) and classification of fixes as excursions
mitted from the tag to the satellite only (black crosses) or non-excursions (amber crosses) for a particular bird.
once per week. We thus configured
Blogging Birds to produce a blog every
week, or each time data was received 58
from a bird.
Figure 1 outlines the overall archi-
tecture of the Blogging Birds system.
We next describe the main compo-
nents; see also Ponnamperuma et al.12
57
Data augmentation. The system pro-
cesses an email messages with GPS
Latitude

fixes from the tags fixed to the red kites

and enriches that data from readily
available online sources about the lo-
cal weather (https://www.metoffice.gov. 56
uk/datapoint), habitat (such as differ-
ent types of grassland and forests,
https://eip.ceh.ac.uk/lcm), and geo-
graphic features (such as rivers, lochs,
roads, and location names, https://
55
www.ordnancesurvey.co.uk/). Table 1
presents a sample of the enriched data
used by Blogging Birds.
Data analysis. The system then ap-
plies data-analysis procedures for
identifying home ranges and patterns –5 –4 –3 –2
of movement with respect to these
temporary settlement areas. Home Longitude
ranges are identified as polygons using
the Adehabitat package for R2 by clus-
tering the previous locations of an indi-
vidual using 90% kernels. As described (black crosses) and non-excursions home ranges, or moves from one home
by van der Wal et al.,24 we modeled lo- (amber crosses). range to another. An ecological-do-
cal movement patterns as angular and Document planner. The document main model further defines different
radial velocity vectors to identify excur- planner in Figure 3 identifies pat- travel, foraging, and social behaviors
sions, characterized by travel in rela- terns in the data that signal different as rules that can apply under specific
tively straight lines at higher speeds. red kite behaviors and creates “mes- environmental and geographic condi-
This data analysis allows the document sages” (implemented as Java classes) tions; for instance, following heavy
planner (described next) to detect the that encode these behaviors for use rain, a kite observed on any of the
three prototypical patterns of move- by the “micro planner” and “sentence grassland habitats might feed on earth-
ment in Figure 2, whereby the kite re- realiser,” which then generate sen- worms or a kite observed near a wood-
mains within a home range, explores tences in English. land habitat late in the afternoon is
an area outside its home ranges, or The data analysis allows us to detect likely to be preparing to roost. These
moves from one home range to anoth- the three prototypical patterns of rules are implemented as JBoss Drools
er. Figure 3 shows the calculated home movement outlined in Figure 2, where- (http://www.jboss.org/drools), a busi-
ranges for a bird (gray polygons), as by the kite remains within a home ness-logic-integration platform that al-
well as the fixes classified as excursions range, explores an area outside its lows us to instantiate messages when

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 71
contributed articles

Figure 4. Screenshot of the Blogging Birds Web interface. ˲˲ Generate a message about a new
(not previously used) possible forag-
ing behavior, if any deduced; unusual
(historically infrequent) behaviors are
selected over common ones.
Remove redundancy. Aggregate the
messages generated for the week
through these two steps to remove re-
dundancy (such as by grouping to-
gether days with similar behaviors).

Paragraph 3
Movement pattern. Generate a message
for a question or comment based on
the movement pattern—C1, C2 or C3—
with the aim of intriguing the reader.
Micro planner and sentence realiser.
The micro planner takes the messages
particular patterns are detected in the The content is selected through a generated by the document planner,
data. In total, the system implements process of summarization and aggre- implements aggregation through a va-
Drools for 26 movement behaviors gation of information. This is the sec- riety of linguistic devices (such as rang-
(such as flying along a coast or over a ond creative aspect of the blog genera- es, coordination, and subordination),
landmark like a castle or loch and the tion (the first involved imagining a and limits linguistic repetition by vary-
home-range-related movement pat- wide range of possible behaviors), as it ing the vocabulary. It provides sentence
terns in Figure 2); 33 foraging behav- plans what story to tell from the imag- specifications to the “sentence realiser,”
iors, mostly detailing the food avail- ined behaviors. Blogging Birds aims to which then generates sentences using
able for a kite in different habitats at provide an overview of the main behav- the SimpleNLG library.6
different times of the year but also iors and highlight aspects that might Figure 4 is a screenshot of the Blog-
sometimes related to specific features be interesting to the human reader. ging Birds interface in which an auto-
(such as when a red kite near a road Movement behaviors are considered matically generated weekly blog for a
might be looking for roadkill); and six more interesting than foraging behav- kite is overlaid on a Google map of the
social behaviors (such as roosting and iors, and rarer foraging behaviors are bird’s whereabouts with its historical
nesting); see the online appendix “Ex- prioritized over more frequent ones. home ranges marked as blue poly-
ample Rules” (dl.acm.org/citation.cfm Each blog attempts to inform the read- gons. In this example, Wyvis, one of
?doid=3231588&picked=formats). er about different aspects of red kite five red kites being blogged about, has
The pattern-detection module then ecology by selecting different behav- traveled between two home ranges
exhaustively applies the rules to the iors from different days. The main (movement pattern C3), and an expla-
satellite fixes to produce a list of all ob- steps are as follows: nation for the observed movement
served movement behaviors and all pattern is provided based on the age
possible foraging and social behaviors Paragraph 1
consistent with known environmental Movement pattern. Generate a message Table 2. Baseline computer-generated blog
without reference to ecological concepts
and geographic conditions. The latter based on the detected movement pat- for the week outlined in Figure 4.
is the first step in the creative process, tern—C1, C2, or C3 in Figure 2; if the
whereby the program explores the con- age of the bird can be used to interpret
Wyvis had enough of the area around
ceptual space to “imagine” how the this pattern, add such an interpreta- Teavarran and decided to move to Crieff ap-
kite might have been behaving. tion message; proximately 73 miles away. No doubt Wyvis
Blogging Birds uses a rule-based Habitats visited. Generate a message had a social week, as kites Moray and Millie
were often seen in the vicinity.
text planner for dynamic text genera- summarizing the habitats visited; and
tion. The planning rules decide how Other kites. Generate a message Monday, Wyvis spent most of her time
information is ordered, but what infor- about other kites recorded nearby, if around Torness, Errogie, and Teavarran. On
mation to include and how to organize any. Tuesday evening, she reached moorland
near Crieff flying approximately 65 miles
it into sentences is determined at run- amid cloudy conditions and averaging a
time in a data-driven manner. Paragraph 2 remarkable 11 miles per hour. The next five
The blogs are always planned as Days of the week. Iterate over each day days Wyvis spent most of her time around
three paragraphs, the first describing of the week (Monday to Friday): Edinample, Tullybannocher, and St Fillans.
During this time, she was seen mainly on acid
the overall trends, the second provid- ˲˲ If the bird remained relatively
grassland while making occasional journeys
ing more detail on a day-to-day basis, static—C1 in Figure 2—then generate to farmland.
and the third posing a question about a message about nearby places or gen-
what the kite might do next, as well as erate a message about any movement Will Wyvis settle down here?
occasionally offering a conclusion. behavior detected; and

72 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

of the bird. The system emphasizes in Figure 4 would correspond to C3),

the social side with reference to roost- giving us 36 weeks of data in total.
ing and encounters with other tagged Comparison with human-written
kites. The second paragraph is narrat- blogs. We recruited 12 post-graduate
ed chronologically, with care taken
again to emphasize any unusual be- The generated master’s-level ecology students from
the University of Aberdeen in Scot-
haviors (such as the long distance texts are creative land (representative of those who
might be hired by a conservation
in that they display
flown on Tuesday) and to reference
weather conditions (“cloudy”) to make charity) to take part in a two-hour ses-
the text more engaging. Information
is also provided about the foraging po-
imagination and sion on “digital media in nature con-
servation” outside teaching hours.
tential of the different habitat types inventiveness in We told them they would be writing
visited. Aggregation is used to avoid
repetition, using linguistic devices
how they interpret three short blogs on the basis of envi-
ronmental data we would provide,
(such as range “Wednesday to Sun- and report data saying it would take them approxi-
day,” coordination “St Filans, Tully-
bannocher, and Edinample,” and sub- under constraints mately 1.5 hours, that partaking
would benefit our research while giv-
ordination “mainly on acid grassland, imposed by kite ing them unique insights into new
while making odd journeys to arable
land”). The question posed in the final ecology and technologies, and we would compen-
sate them £15 cash to express our
paragraph is selected based on the
movement pattern detected.
the data itself. gratitude for helping us while learn-
ing.
Here, we focus on situations where We provided each writer with ac-
the timeframe covered by each blog is cess to a one-page information sheet
set at one week, as this is the frequency about red kites that summarized the
at which the tags are programmed to typical movement patterns and forag-
transmit data. However, the system ar- ing and social behaviors that were en-
chitecture is sufficiently generic to be coded in the Blogging Birds system.
able to handle other timeframes, and They were also free to consult any on-
the interface also allows the user to se- line sources they preferred. We also
lect a day of the week and read a blog provided them with the enriched data
composed for that day. Blogs could in available to the system for the week,
theory also be provided for longer time- presented in both tabular form (as in
frames, but as the goal of the project Table 1) and overlaid on a map show-
was to allow readers to monitor or fol- ing home ranges and fixes (as in Fig-
low the birds on a continuous basis, ure 4, but without the blog). The in-
this option was not implemented. formation we provided to the 12
student writers was sufficient to al-
Evaluation low them to make the same infer-
We investigated both how computer- ences as the system. However, in or-
generated blogs are appraised by read- der to grant full creative freedom to
ers in comparison to human-written the writers and avoid priming them
blogs based on the same data and the to write similar blogs to the system,
contribution of the generated ecologi- we avoided giving them direct access
cal insights to such appraisals. To this to the inferences made or used by the
end, we designed studies to evaluate system. They were further informed
the quality of the computer-generated about the intended purpose of the
blogs for different patterns of move- blogs and the target audience, and
ment, first through comparison with each was asked to write three 200-
blogs written manually, then through word blogs; that is, for data from
comparison with baseline computer- three different weeks, one in each
generated blogs that report the data condition (C1–C3 in Figure 2) such
factually without ecological insights. that for each of the 36 weeks selected
Method. We focused on the three for the study we had one manually
prototypical movement patterns out- written blog. The order in which writ-
lined in Figure 2 as conditions C1, C2, ers encountered each condition was
and C3. For each condition, we identi- randomized and writers not made ex-
fied 12 weeks of data such that the focal plicitly aware of the existence of
red kite’s movements broadly matched these conditions in the study, though
this condition (for example, the week the patterns were clearly visible on

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 73
contributed articles

the respective maps and described participant sitting at an individual more informative, fluent, and engag-
on the information sheet. These 36 workstation was shown an interface ing than human-written blogs; and
manually written blogs were com- with a map with home ranges and H3. The differences in ratings for
pared to computer-generated blogs fixes of a kite for one of the weeks, computer-generated and human-writ-
for the same weeks in the evaluation. as well as two blogs, one written ten blogs are conditional on the move-
As our goal was to investigate manually and one computer-gener- ment pattern of an individual bird C1,
Blogging Birds not just as a tool for ated, without any information about C2, or C3, as in Figure 2.
those with an interest in nature con- their provenance. Participants said Comparison with baseline. To di-
servation but as a resource to engage what blog they preferred (or ex- rectly evaluate whether communicat-
those interested in new technolo- pressed no preference) and also rated ing ecological insights through the
gies. We ran evaluations with two each blog on how informative, fluent, blogs is important to readers, we com-
distinct groups of participants: 93 and engaging they found it on a sev- pared Blogging Birds to a computer-
undergraduate biology students en- en-point Likert scale. Each partici- generated baseline that blogs about
rolled in a second year “community pant evaluated three pairs of blogs. the movement patterns without refer-
ecology” course and 49 first- and sec- We designed the study to test three ence to ecological concepts; see Table
ond-year undergraduates from across specific hypotheses: 2 for an example. These baseline blogs
disciplines enrolled in a course enti- H1. Computer-generated blogs are were entirely factual and reported be-
tled “digital society,” both at the Uni- preferred to human-written blogs; haviors only directly observed in the
versity of Aberdeen. In each trial, a H2. Computer-generated blogs are data but that otherwise followed the
same format as the full-system blogs.
Figure 5. Preferences for human-written and for computer-generated blogs by movement An additional 27 undergraduate stu-
condition, as in Figure 2: C1 is movement within a home range; C2 is a round trip; and C3 is
movement between home ranges.
dents enrolled in the digital society
course, but who had not participated
Either Human-written Computer-generated
in the earlier experiment, evaluated
1.0
the full vs. the baseline system using
the same methodology and interface
0.8 as before. We designed this study to
Preference (proportion)

test two specific hypotheses:

0.6 H4. Computer-generated blogs with
ecological insights are preferred to
0.4 baseline computer-generated blogs
without ecological insights; and
0.2 H5. Computer-generated blogs
with ecological insights are more in-
0.0 formative and engaging than baseline
C1 C2 C3 C1 C2 C3 computer-generated blogs without
Community Ecology Students Digital Society Students ecological insights, while their fluency
is comparable.

Figure 6. Average ratings for human-written and for computer-generated blogs by movement condition, as in Figure 2: C1 is movement
within a home range; C2 is a round trip; and C3 is movement between home ranges.

Human-written Computer-generated

7 (a) Informativeness 7 (b) Engagingness 7 (c) Fluency

6 6 6

5 5 5

4 4 4

3 3 3

2 2 2

1 1 1

0 0 0
C1 C2 C3 C1 C2 C3 C1 C2 C3 C1 C2 C3 C1 C2 C3 C1 C2 C3

Community Digital Community Digital Community Digital

Ecology Society Ecology Society Ecology Society

74 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

Results We ran a MANOVA, with informa- vealed this interaction came about
Evaluation against human-written blogs. tiveness, engagingness, and fluency as because the computer-generated
Both sets of students showed an overall the dependent variables and blog type blogs capturing conditions with
significant preference for the comput- (computer or human), kite movement- more movement by kites (C2 and C3)
er-generated blogs (238 trials vs. 153 pattern (C1, C2, or C3), student group were more informative than the hu-
trials in which human-written blogs (community ecology or digital society), man-written blogs for the same con-
were preferred; χ2 = 18.5; p < 0.001), and their interactions as fixed effects, ditions and more informative than
confirming hypothesis H1. However, and writer ID and evaluator ID as ran- computer-generated blogs capturing
a more complex pattern emerged (see dom effects. We found the following constricted movement (C1) (p<0.0001
Figure 5), with this preference being main effects and interactions at p<0.01: for each comparison).
dependent on the type of kite move- computer-written blogs were rated sig- To better understand these described
ment covered in the blog—C1, C2, nificantly higher (p<0.0001) than hu- effects, we compared the distribution of
or C3—and the orientation of the man-written blogs (confirming hypoth- ratings obtained by each human writer
course—ecology or technology. esis H2); students in the digital society (H1–H12) and the computer (Comp) in
Across the community ecology stu- course gave higher ratings overall than Figure 7. Only two of the blog writers (H3
dents, there was a strong preference students in community ecology and H10) were deemed to write more in-
for computer-generated blogs when (p<0.01); and there was interaction be- formative blogs than the computer, and
they captured more extensive move- tween blog type and movement pat- both of them were considered less en-
ment by the kites—round trips (C2) tern (p<0.0001), confirming hypothe- gaging and fluent than the computer-
and movement between home ranges sis H3. Post-hoc analysis using the generated blogs. Likewise, H4, who
(C3)—while there was little difference Tukey HSD test on the individual ANO- wrote more fluent and engaging blogs
in preference between the two blog VAs with Bonferroni-correction re- than the computer, was rated rather low
types when kite movement was limit-
ed; that is, small movements within Figure 7. Computer-generated blogs (Comp) vs. human-written blogs (H1–H12).
home ranges (C1). Digital society stu-
7 3
dents showed an overall clear prefer- Likert Scale 6 2
ence for the computer-generated 5 1
4
blogs only when they described round
(a) Informativeness (b) Engagingness (c) Fluency
trips (C2). Combined, our findings in- 7 1

Proportions of ratings
dicate Blogging Birds is particularly 6
Mean Rating

skilled at handling cases where the fo- 5

cal bird shows substantial movement. 4
3
Average ratings for how fluent, engag-
2
ing, and informative the blogs were 1
(see Figure 6) showed the main per- 0 0
ceived advantage of the computer-
H6
H1
H6
H4
H5
H8
H7
H9
H11
H2
H12
Comp
H3
H10

H1
H5
H8
H7
H3
H9
H2
H10
Comp
H4
H12
H11

H6
H1
H5
H7
H8
H12
H10
H3
H9
Comp
H4
H11
H2
generated blogs pertains to their “in-
formativeness,” with smaller Blog Writers
improvements visible for how engag-
ing and fluent they were.

Figure 8. Computer-generated blogs with ecological insights (full system) vs. computer-generated blogs describing movement patterns only
(baseline system).

Either Baseline system Full system

1.0 (a) Preferences (proportion) 7 (b) Informativeness 7 (c) Engagingness 7 (d) Fluency

6 6 6
0.8
5 5 5

0.6
4 4 4

3 3 3
0.4

2 2 2
0.2
1 1 1

0.0 0 0 0
C1 C2 C3 C1 C2 C3 C1 C2 C3 C1 C2 C3

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 75
contributed articles

for “informativeness,” thus illustrating 5.1, 3.8; p = 0.0233, 0.0499). The absence
the difficulty of being informative, en- of ecological interpretation by the base-
gaging, and fluent at the same time, line system was thus judged adversely for
even for a human writer. Indeed, all the all movement patterns, particularly so
writers were committed and used the
full 1.5 hours for composing the blogs, Telemetric data when the birds were relatively static. We
also found the full blogs were rated as
yet most were outperformed by the com-
puter on each of the three metrics. For
is ubiquitous, more informative (p<0.0001) and more
engaging (p=0.0215) but not more fluent
examples of human-written and com- captured by (p=0.825) (see Figure 8), confirming hy-
puter-generated blogs, as well as details
of how they were appraised by evalua-
smartphones pothesis H5.
The two studies we have presented
tors, see the online appendix. and other mobile here demonstrate that computer-gen-
A questionnaire filled out by the blog
writers provided many interesting in-
devices, as well erated blogs are appraised more posi-
tively than human-written blogs, and
sights. In general, they found it difficult as through GPS that computer-generated blogs with
to comprehend and summarize the
sheer amount of data in fewer than 200 sensors embedded creatively generated ecological in-
sights are preferred overwhelmingly to
words but also felt the process became in vehicles used by blogs generated from the same data
easier the more they did. There was,
however, concern from many that the the transportation but without inclusion of these insights.

blogs were becoming repetitive, espe-

cially if there was little variation in what
industry and others. Conclusion
The Blogging Birds system shows that
the red kites were actually doing, stem- raw satellite tag data can be transformed
ming largely from a lack of knowledge into fluent, engaging, and informative
of kite ecology and behavior. Summariz- texts directed at members of the public
ing the range of data in different for- and in support of nature conservation.
mats was certainly challenging, and We demonstrated that computers
some enjoyed the process more than can compete with human experts in
others. There was considerable variabil- generating creative stories from nu-
ity in how the blog writers used the ma- merical data. Unlike natural lan-
terials provided them to create the guage generation systems that gener-
blogs. Some concentrated mostly on the ate texts for news reporting or for
visible patterns on Google maps, others decision making in the workplace,
looked in more detail at the map data by Blogging Birds’s narratives are not
clicking on individual map points to entirely factual. Though the system is
find out more, and yet others found in- constrained by the observed data and
specting the data in a tabular format its ecological domain model, the red
was most useful. Asked whether they kites’ reported foraging and social
would like to write the red kite blogs as a behaviors are only imagined to have
job, the consensus was that, although taken place. However, including
initially enjoyable, it would quickly get these behaviors in the narratives al-
tedious and increasingly more difficult lows us to communicate red kite ecol-
to write non-repetitive material. ogy to the reader, and the blogs are
Evaluation against baseline. Partici- better appraised as a consequence.
pants demonstrated a conclusive prefer- Our work thus simultaneously ad-
ence for the full system with ecological dresses the societal challenges of
insights, preferring it in 61 trials com- communicating data effectively and
pared to only 20 trials in which the base- engaging the general public with sci-
line was preferred (χ2 = 21.5; p < 0.001), entific research.
confirming hypothesis H4. Interestingly, Blogging Birds composes blogs by
this effect was strongest when blogs de- combining texts produced through
scribed situations with little movement three different types of analysis: The
by the birds during those weeks (C1); first is a generic factual summariza-
here, the full-system blogs were pre- tion of telemetric data enriched with
ferred in 23 trials compared to just four location-specific information about
baseline blogs (χ2 = 13.4; p=0.0002). For weather conditions, habitat type, and
C2 and C3, the corresponding values geographic features, and can be read-
were preferences for the full system in 20 ily adapted for use in other domains.
and 18 trials, compared to preferences The second is the processing and eco-
for the baseline in eight trials each (χ2 = logical interpretation of movement

76 COMM UNICATIO NS O F THE AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 contributed articles

data in the context of home range use, supermarket. In effect, we have dem- 18. Sharples, M. An account of writing as creative design.
In The Science of Writing. Lawrence Erlbaum,
and the third is the exploitation of do- onstrated it is possible to blog about Hillsdale, NJ, 1996.
main knowledge encoded as a collec- such data through a process of data en- 19. Sternberg, R.J. Handbook of Creativity. Cambridge
University Press, Cambridge, U.K., 1999.
tion of rules that help the system richment and natural language genera- 20. Theune, M., Faas, S., Heylen, D.K.J., and Nijholt, A. The
imagine possible foraging and social tion, opening up new avenues for using virtual storyteller: Story creation by intelligent agents.
In Proceedings of the Conference on Technologies for
behaviors from environmental and AI to engage people through data. Interactive Digital Storytelling and Entertainment, S.
geographic parameters. Much of what Göbel et al., Eds. (Darmstadt, Germany, Mar. 24–26).
Fraunhofer IRB Verlag, Stuttgart, Germany, 2003,
is creative and interesting about the Acknowledgments 204–215.
21. Theune, M., Klabbers, E., de Pijper, J.-R., Krahmer, E.,
blogs derives from the latter domain- This research was supported by an and Odijk, J. From data to speech: A general approach.
specific types of data analyses. Al- award from the RCUK Digital Economy Natural Language Engineering 7, 1 (Mar. 2001), 47–86.
22. Tintarev, N., Reiter, E., Black, R., Waller, A., and
though the developed principles ap- Programme to the dot.rural Digital Reddington, J. Personal storytelling: Using natural
ply more broadly, new applications Economy Hub, award reference EP/ language generation for children with complex
communication needs, in the wild. International Journal
would require construction of knowl- G066051/1. of Human-Computer Studies 92 (Aug. 2016), 1–16.
edgebases pertinent to the domain of 23. Tomkiewicz, S.M., Fuller, M.R., Kie, J.G., and Bates, K.K.
Global positioning system and associated technologies
use. While this is a clear limitation of References in animal behaviour and ecological research.
1. Binsted, K. and Ritchie, G. Computational rules for
our approach, note our ecological in- generating punning riddles. International Journal of
Philosophical Transactions of the Royal Society of
London B: Biological Sciences 365, 1550 (July 2010),
terpretation of movement data in par- Humor Research 10, 1 (July 1997), 25–76. 2163–2176.
2. Calenge, C. The package ‘adehabitat’ for the R
ticular would be applicable to several software: A tool for the analysis of space and habitat
24. van derWal, R., Zeng, C., Heptinstall, D.,
Ponnamperuma, K., Mellish, C., Ben, S., and
other species. For example, we have use by animals. Ecological modelling 197, 3 (Apr. Siddharthan, A. Automated data analysis to rapidly
2006), 516–519. derive and communicate ecological insights from
already developed a version of Blog- 3. Callaway, C.B. and Lester, J.C. Narrative prose satellite-tag data: A case study of reintroduced red
ging Birds for golden eagles (Aquila generation. Artificial Intelligence 139, 2 (Aug. 2002), kites. Ambio 44, 4 (Oct. 2015), 612–623.
213–252. 25. Verma, A., van der Wal, R., and Fischer, A. Microscope
chrysaetos) for use by RSPB conserva- 4. Carter, I. The Red Kite. Arlequin Press, Chelmsford, and spectacle: On the complexities of using new
tion officers, successfully reusing the Essex, U.K., 2007. visual technologies to communicate about wildlife
5. Gatt, A., Portet, F., Reiter, E., Hunter, J., Mahamood, conservation. Ambio 44, 4 (Oct. 2015), 648–660.
second, as well as the first, type of S., Moncur, W., and Sripada, S. From data to text in the 26. Wall, J., Wittemyer, G., Klinkenberg, B., and
analysis. neonatal intensive care unit: Using NLG technology Douglas-Hamilton, I. Novel opportunities for wildlife
for decision support and information management. AI conservation and research with real-time monitoring.
During the course of the project, we Communications 22, 3 (third quarter 2009), 153–186. Ecological Applications 24, 4 (June 2014), 593–601.
6. Gatt, A. and Reiter, E. SimpleNLG: A realisation
also discovered ecologists had limited engine for practical applications. In Proceedings of
27. Wen,, T.-H., Gašić, M., Mrkšić, N., Su, P.-H., Vandyke, D.,
and Young, S. Semantically conditioned LSTM-based
knowledge of the foraging behavior of the 12th European Workshop on Natural Language natural language generation for spoken dialogue
Generation (Athens, Greece, Mar. 30–31). Association
red kites in Scotland, as they had not for Computational Linguistics, Stroudsburg, PA, 2009,
systems. In Proceedings of the Conference on
Empirical Methods in Natural Language Processing
been studied extensively following 90–93. (Lisbon, Portugal, Sept. 17–21). Association for
7. Gervás, P. Computational approaches to storytelling
their relatively recent reintroduction. and creativity. AI Magazine 30, 3 (Fall 2009), 49–62.
Computational Linguistics, Stroudsburg, PA, 2015.
28. Yan, R. I, Poet: Automatic poetry composition through
We could thus encode only a limited 8. Ghazvininejad, M., Shi, X., Choi, Y., and Knight, K. recurrent neural networks with iterative polishing
Generating topical poetry. In Proceedings of Empirical
number of rules per habitat type. The Methods in Natural Language Processing (Austin, TX,
schema. In Proceedings of the International Joint
Conference on Artificial Intelligence. New York, July
absence of any large-scale corpus of Nov. 1–5). Association for Computational Linguistics, 9–15). AAAI Press, Palo Alto, CA, 2016, 2238–2244.
Stroudsburg, PA, 2016, 1183–1191. 29. Zhang, X. and Lapata, M. Chinese poetry generation
texts in this domain also meant we 9. Goldberg, E., Driedger, N., and Kittredge, R.I. Using with recurrent neural networks. In Proceedings of the
could not apply the deep learning natural language processing to produce weather Conference on Empirical Methods in Natural Language
forecasts. IEEE Expert 9, 2 (Apr. 1994), 45–53. Processing (Doha, Qatar. Oct. 25–29). Association for
methods that are rapidly gaining popu- 10. Hebblewhite, M. and Haydon, D.T. Distinguishing Computational Linguistics, Stroudsburg, PA, 2014,
larity for generating linguistic varia- technology from biology: A critical review of the 670–680.
use of GPS telemetry data in ecology. Philosophical
tion in computer-generated texts.27 In Transactions of the Royal Society of London B:
future work, we plan to invite Blogging Biological Sciences 365, 1550 (July 2010), 2303–2312. Advaith Siddharthan ([email protected])
11. Panetta, K. Neural Networks and Modern BI Platforms is a Reader in the Knowledge Media Institute at The Open
Birds’ users to contribute behavioral Will Evolve Data and Analytics. Gartner, Inc., University, Milton Keynes, U.K.
Stamford, CT, Jan. 16, 2017; http://www.gartner.com/
observations from across the U.K., en- smarterwithgartner/nueral-networks-and-modern-bi- Kapila Ponnamperuma (kapila.ponnamperuma@arria.
abling us to simultaneously curate a platforms-will-evolve-data-and-analytics/ com) is the lead natural language engineer at Arria NLG
12. Ponnamperuma, K., Siddharthan, A., Zeng, C., Mellish, plc, Aberdeen, Scotland, U.K.
larger set of rules and further public C., and Wal, R. Tag2Blog: Narrative generation
engagement. from satellite tag data. In Proceedings of the 51st Chris Mellish ([email protected]), now retired, was
Annual Meeting of the Association for Computational a professor of computer science at the University of
Finally, our ideas demonstrated Linguistics: System Demonstrations (Sofia, Bulgaria, Aberdeen, Scotland, U.K., at the time this research was
here are applicable more generally. Aug. 4–9). Association for Computational Linguistics, conducted.
Stroudsburg, PA, 2013, 169–174.
Telemetric data is ubiquitous, cap- 13. Portet, F., Reiter, E., Gatt, A., Hunter, J., Sripada, Cheng Zeng ([email protected]) was a research
tured by smartphones and other mo- S., Freer, Y., and Sykes, C. Automatic generation of assistant on the Blogging Birds Project at the time this
textual summaries from neonatal intensive care data. research was conducted.
bile devices, as well as through GPS Artificial Intelligence 173, 7–8 (May 2009), 789–816.
Daniel Heptinstall ([email protected]) is a senior
sensors embedded in vehicles used by 14. Pschera, A. Animal Internet: Nature and the Digital
international biodiversity adviser on the U.K. government’s
Revolution. New Vessel Press, New York, 2016.
the transportation industry and others. 15. Reiter, E. and Dale, R. Building Natural Language Joint Nature Conservation Committee.
Even albums of time-stamped and geo- Generation Systems. Cambridge University Press,
Annie Robinson ([email protected]) was a
Cambridge, U.K., 2000.
Research Fellow on the Blogging Birds Project at the time
tagged photos provide data similar to 16. Reiter, E., Sripada, S., Hunter, J., Yu, J., and Davy, I.
this research was conducted.
what we used here. The nature of the Choosing words in computer-generated weather
forecasts. Artificial Intelligence 167, 1–2 (Sept. 2005), René van der Wal ([email protected]) is a
blogs, along with the information 137–169. professor of ecology at the University of Aberdeen,
17. Rishes, E., Lukin, S.M., Elson, D.K., and Walker, M.A.
sources used for data enrichment, Generating different story tellings from semantic
Scotland, U.K.

would depend on the application, to representations of narrative. In Proceedings of the

International Conference on Interactive Digital
blog about a holiday or reveal the prov- Storytelling (Istanbul, Turkey, Nov. 6–9) Springer, New
enance and journey of a food item in a York, 2013, 192–204. Copyright held by authors.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 77
review articles
DOI:10.1145/ 3226588
A lot has happened in the world
A new model for describing the Internet since 1993. The overwhelming success
of the Internet has created many new
reflects today’s reality and the future’s needs. uses and challenges that were not an-
ticipated by its original architecture:
BY PAMELA ZAVE AND JENNIFER REXFORD ˲˲ Today, most networked devices are
mobile.

The
˲˲ There has been an explosion of se-
curity threats.
˲˲ Most of the world’s telecommu-
nication infrastructure and entertain-

Compositional
ment distribution has moved to the
Internet.
˲˲ Cloud computing was invented to
help enterprises manage the massive

Architecture
computing resources they now need.
˲˲ The IPv4 32-bit address space has
been exhausted, but IPv6 has not yet
taken over the bulk of Internet traffic.

of the Internet
˲˲ In a deregulated, competitive world,
network providers control costs by al-
locating resources dynamically, rather
than provisioning networks with stat-
ic resources for peak loads.
Here is a conundrum. The Internet
is meeting these new challenges fairly
well, yet neither the IP protocol suite
nor the way experts describe the Inter-
net have changed significantly since
1993. Figure 1 shows the headers of a
typical packet in the AT&T backbone,19
giving us clear evidence that the chal-
lenges have been met by mechanisms
well outside the limits of the classic
explosive growth of the World Wide
I N 1 992, TH E
Internet architecture. In the classic
Web began. The architecture of the Internet was description, the only headers between
commonly described as having four layers above the
key insights
physical media, each providing a distinct function:
For the past 25 years, the Internet has
a “link” layer providing local packet delivery over ˽˽
been evolving to meet new challenges
heterogeneous physical networks, a “network” layer by composition with new networks
that were unanticipated by the original
providing best-effort global packet delivery across architecture. New networks make
alternative trade-offs that are not
autonomous networks all using the Internet Protocol compatible with the general-purpose
Internet design, or maintain alternative
(IP), a “transport” layer providing communication views of network structure.
services such as reliable byte streams (TCP) and ˽˽ In an architecture composed of self-
contained networks, each network is
datagram service (UDP), and an “application” layer. a microcosm with all the basic network
mechanisms including a namespace,
In 1993, the last major change was made to this routing, a forwarding protocol,
IMAGE BY TIERNEYM J

classic Internet architecture;11 since then the scale session protocols, and directories.
The mechanisms are specialized
and economics of the Internet have precluded further for the network’s purposes,
membership, geographical span, and
changes to IP.12 level of abstraction.

78 COMM UNICATIO NS O F THE AC M | M A R C H 201 9 | VO L . 62 | NO. 3

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 79
review articles

HTTP and Ethernet would be one TCP pendent on the interaction of multiple services (such as protection from deni-
header and one IP header. networks. This means they cannot be al-of-service attacks) that cannot be im-
In this article, we present a new verified without a formal framework plemented in endpoints.4 Today’s In-
way of describing the Internet, better for network composition. ternet is full of middleboxes, which are
attuned to the realities of networking Evolution toward a better Internet: functional elements located inside the
today, and to meeting the challenges In response to the weaknesses of the network and inserted into end-to-end
of the future. Its central idea is that the current Internet, many researchers paths. On the other side of the divide,
architecture of the Internet is a flexible have investigated “future Internet ar- performance of the network depends
composition of many networks—not chitectures” based on new technology to some extent on congestion control
just the networks acknowledged in the and “clean slate” approaches.2,20,21,25 in TCP endpoints. It is no longer true
classic Internet architecture, but many These architectures are not compatible that endpoint machines and networks
other networks both above and below enough to merge into one network de- are always owned by different parties
the public Internet in a hierarchy of sign. Even if they were, it is debatable (in clouds they are not), and no longer
abstraction. For example, the headers whether they could satisfy the demands true that network elements such as
in Figure 1 indicate the packet is being for specialized services and localized routers are not programmable.10
transmitted through six networks be- cost/performance trade-offs that have From a modeling perspective, the
low the application system. Our model already created so much complexity. A divide between network and endpoints
emphasizes the interfaces between study of compositional principles and is harmful for a very simple reason: If
composed networks, while offering an compositional reasoning might be the we want to describe and verify commu-
abstract view of network internals, so key to finding the simplest Internet nication (network) services, then we
we are not reduced to grappling with architecture that can satisfy extremely must include all the agents involved in
masses of unstructured detail. In addi- diverse requirements. providing those services.
tion, we will show that understanding We begin with principles of the User interfaces are inside ma-
network composition is particularly classic architecture, and then discuss chines. Figure 2 illustrates the new
important for three reasons: why they have become less useful and model’s approach to network services
Reuse of solution patterns: In the how they can be replaced. This should and the user interface. Each machine
new model, each composable net- help clarify that we are proposing a re- participating in a network must be
work is a microcosm of networking, ally new and different way of talking running a member of that network. The
with the potential to have all the ba- about networks, despite the familiarity network member is a software or hard-
sic mechanisms of networking such of the terms and examples. We close by ware module that implements some
as a namespace, routing, a forwarding considering potential benefits of the subset of the network protocols. Mem-
protocol, session protocols, and direc- new model. bers are connected by links, where a
tories. Our experience with the model link is a communication channel that
shows this perspective illuminates so- The User Interface to a Network accepts packets from one member
lution patterns for problems that occur The end-to-end principle. The best- and delivers them to another mem-
in many different contexts, so that the known principle of the classic Internet ber.a Members of the network forward
patterns (and their implementations!) architecture is the end-to-end prin- packets that are not destined for them,
can be reused. This is a key insight of ciple,5,8 which creates a sharp divide so a packet can reach its destination
Day’s seminal book Patterns in Network between the network and the endpoint through a path of members.
Architecture.7 By showing that interest- machines that it serves. The princi- The users of networks are distribut-
ing networking mechanisms can be ple says the functions of the network ed application systems—computer sys-
found at higher levels of abstraction, should be minimized, so that it serves tems with operational modules spread
the new model helps to bridge the arti- everyone efficiently, and that when- across different physical machines.
ficial and unproductive divide between ever possible services should be imple- The modules of a distributed system
networking and distributed systems.17 mented in the endpoint machines. The need a network to communicate. The
Verification of trustworthy services: endpoints are easily programmable (so main user interface to a network con-
Practically every issue of Communica- anyone can add services), and the end- sists of the interfaces inside machines
tions contains a warning about the to-end perspective is the best perspec- between user modules and members
risks of rapidly increasing automa- tive for functions such as reliability. of the network.
tion, because software systems are too The end-to-end principle is also An instance or usage of network ser-
complex for people to understand or expressed by the slogan “smart edge, vice is a session. A network has packets,
control, and too complex to make reli- dumb network.” Another implication which are its transmissible units of
able. Networks are a central part of the of the end-to-end principle is the user data. A session transmits a set of pack-
growth of automation, and there will be interface to a network consists of the ets that are related from the perspec-
increasing pressure to define require- links between endpoint machines and tive of the user. In Figure 2, a one-way
ments on communication services and the rest of the network. session transmits packets from an ap-
to verify they are satisfied.14 As we will Despite its tremendous explana-
show, the properties of trustworthy tory and engineering value, the end- a Although the model allows one-to-many ses-
services are defined at the interfaces to-end principle does not describe the sions and links, for services such as broadcast
between networks, and are usually de- Internet as a whole. We know there are and multicast, they are omitted for simplicity.

80 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

plication sender to an application re- Self-contained networks. A major encompasses both the network and
ceiver. The session has identifier sess- principle of the new model is that lay- transport layers of the classic Internet
Ident. So the main user interface to the ers in a composition hierarchy are self- architecture.
network is that the sender has action contained networks. Each network We will now give brief explanations
send (packet, sessIdent) to send a packet is a microcosm of networking, with of the major parts of a network, fol-
in the session, and the network has ac- all the basic mechanisms including a lowed by examples.
tion deliver (packet, sessIdent) to deliver namespace, routing, a forwarding pro- A network’s namespace is the set
a packet to the receiver. tocol, session protocols, and directo- of names that its members can have.
Although the user interface between ries. However, because networks vary Most commonly each member of a
two networks is always implemented widely in their purposes, geographi- network has a unique name, although
inside machines, implementations cal spans, memberships, and levels of there are many exceptions.
vary. Many user interfaces are imple- abstraction, these mechanisms also Routing is the mechanism that de-
mented by software in operating sys- vary, and a mechanism may be ves- termines paths and installs entries
tems. The user interfaces to the MPLS tigial in a particular network design in the forwarding tables of network
networks in Figure 1, on the other where it is not needed. According to members, while a network’s forward-
hand, are implemented deep inside this principle the IP protocol suite is a ing protocol is the mechanism in which
the hardware of high-speed routers. general-purpose network design that is a member uses its forwarding table
implemented on most networked de- and other computations to forward
The Nature of a Layer vices. As such, it can be reused for the packets toward their destinations. It
Fixed layers with distinct functions. design and implementation of many includes formats for packet headers
The classic Internet architecture pre- networks. Note that an IP network and forwarding tables. Most common-
scribes five layers (including the physi-
cal media), as listed earlier. The con- Figure 1. Headers of a typical packet in the AT&T backbone network.
temporaneous OSI reference model13
has seven layers, with “session” and Headers lower in the diagram are outermost in the actual packet.

“presentation” layers between the

transport and application layers. In distributed Web-based
application system
both hierarchies each layer has a dis- HTTP
tinct function not performed by any TCP
Virtual Private Network
other layer. IP (VPN)
Fixed layers with distinct functions IPsec
are no longer a realistic description of public Internet
IP
the Internet. For example, routing and
forwarding are extremely important GTP
General Packet Radio
network functions; in the classic archi- UDP Service (GPRS) network
tecture the local version of these func- IP
Multi-Protocol Label
tions resides in the link layer, while the MPLS Switching (MPLS) network
global version resides in the network
MPLS
layer. Yet, Figure 1 also shows the pres- another MPLS network
Ethernet
ence of a GPRS (a standard for cellular Ethernet network
data service) network and two MPLS
networks, each of which has its own
routing and forwarding that aggregates
packets and manages resources at dif- Figure 2. The main user interface to a network, with an example session.
ferent levels of abstraction. Further
up in Figure 1, we see three IP head- machine machine
ers, plus evidence that three separate
IP session protocols (TCP, IPSec, and sender receiver
user interface
UDP) apply to this packet.
Conceivably there is a model with send (packet, sessIdent) deliver (packet, sessIdent)
fixed layers and distinct functions that
fits this packet, but the same HTTP NETWORK
message—if observed at different plac- session with identifier sessIdent
es along its end-to-end path—will be destination
source
encapsulated in packets with different
headers indicating different layers and
different functions. So no variation on members links
the classic Internet architecture or OSI
reference model can help us under-
stand what is going on.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 81
review articles

ly, the table at each member is a map- or unless the information they carry is other only through IP routers, where
ping from headerPattern and inLink to already stored in members along the filtering rules are installed to allow
outLink, where headerPattern matches path of the session. only approved communication among
some subset of packet headers, and Examples of new networks. Many groups. Note that the machines with
inLink and outLink are local identifiers campus architectures have networks IP addresses 2.7 and 2.8 are close to-
for the links of that member. The map- called virtual local area networks gether in the IP topology, but far apart
ping tells the member that on receiv- (VLANs) that are not found in the in the physical topology.
ing a packet on incoming link inLink classic architecture.22 The purpose of At the middle level of the figure
whose header matches headerPattern, VLANs is to maintain an important there is an isolated VLAN for each
it should forward the packet onto out- network topology that is not present group. Like the LANs, a VLAN uses
going link outLink. The mapping can in either the IP network or local area the Ethernet design in which names
also tell the member, explicitly or im- networks (LANs) on campus, as shown are MAC addresses (abbreviated “M”).
plicitly, to drop the packet. in Figure 3. In the figure, each physical These VLANs do their own routing,
A session protocol is a set of conven- machine is assigned a color and final separate from the routing in the LANs.
tions governing a specific kind of ses- name digit for its network members, A virtual link in the IP network must
sion; it always includes the behavior so that it is easy to see which network be implemented by a path in a VLAN
of the session endpoint members, and members are on the same machine. and a link in a VLAN must be imple-
may include the behavior of other net- At the bottom level we see there are mented by a physical path. As a re-
work members on the session path. physical LANs covering different ar- sult, a packet from 1.3 to 2.6 must go
It covers packet headers, packet se- eas of campus, and some high-speed through IP router 0.5 and be screened,
quence, member state, and member physical links across campus.b At the even though the shortest physical path
actions. The header format of a session top level the campus has a private IP between the red and green machines
protocol is a specialization of its net- network. User machines are divided does not go through an IP router. The
work’s forwarding format, so a header into groups depending on whether VLAN architecture has been found to
must conform to both. The new model they belong to students, administra- simplify administration, enhance se-
makes particular use of the following tors, departments, or others. Members curity, and improve the efficiency of
header fields: of a group are identifiable by the pre- campus networks.22
˲˲ the name of the destination end- fixes of their IP addresses (abbreviated A completely different kind of vir-
point; in the figure). Within each group each tual network is often found in mul-
˲˲ a session protocol identifier; user machine is connected by a virtual titenant clouds, which may offer to
˲˲ a session identifier; link to every other group member and their tenants various services such
˲˲ a user network to identify the net- to one or more IP routers that serve as as load-balancing, packet filtering by
work being served by the session (as we security gateways to the group. Mem- firewalls, and application-specific per-
will discuss). bers of different groups can reach each formance enhancements. Such clouds
These fields are always present have virtual networks that implement
in headers unless they are vestigial b The “campus IP network” at the bottom level
these services by inserting middlebox-
(which means they would be identify- is a tricky part of the architecture, and will be es into the paths of sessions. In these
ing elements in a set of size zero or one) explained in section entitled The Usage Graph. virtual networks, the major purpose of
routing and forwarding is to direct the
Figure 3. The architecture of campus network. packets of sessions through middle-
boxes according to the tenant’s ser-
In this diagram, all lines between members are bidirectional pairs of links. vice specification.3,16
The most unusual networks in
Students’ Group Administrators’ Group this article are named data networks
Campus
IP Network 2.7 (NDN).25 In NDN each piece of data has
0.4 0.5
1.3 a unique name. For purposes of the
2.8
2.6
Virtual Links networking functions of routing and
forwarding, a data server has the name
Administrators’ of every piece of data available from
Virtual LAN M8 it; a server can have many names, and
M7 M4 M5
(Extends M6
Across Campus) a name can be assigned to many serv-
ers. The routing protocol uses advertis-
ing and other conventional techniques
M7 M4 0.4 0.5 M5 M8
so that a request for data is usually
forwarded to the nearest server with
Physical Link the requested data. In NDN, a session
M3 M6
consists of a single request and its re-
Campus
Physical LAN IP Network Physical LAN sponse, and there is no source name
in the request packet. (A source name
would be useless for returning the re-

82 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

sponse to the requestor, because users member of which VLAN should it de-
do not have names and server names liver the packet to? LAN packets in this
are not unique.) Rather, the session architecture have a user-network iden-
protocol leaves traces of the session tifier called a “VLAN tag,” which tells
in every member that forwards the re-
quest, so that the response can follow The most important the destination which user network is
being served by the session.
the path in reverse.
NDN is a “future Internet architec-
operator for The shift from a principle of fixed

the composition
layers to a principle of many self-con-
ture,” as mentioned at the outset. In tained networks encourages a shift in
current NDN deployments, wherever
NDN links must traverse non-NDN
of networks thinking and terminology—from dif-
ferent concepts and terminology for
nodes, they are implemented by being is layering, which each layer to concepts and terminology
layered on top of the public Internet.
NDN networks are particularly inter-
is when a link in that emphasize the similarities among
layered networks. Most importantly of
esting because their design shows a network all, users of networks—distributed ap-
how the session protocol, routing, and
forwarding of a network can be highly is implemented plication systems—can be networks
themselves, and the distinction be-
specialized and tightly integrated. by a session in tween the two concepts weakens.

Composition by Layering a used network. If the service provided by a session

protocol has a specification, then the
Layering of self-contained networks. specified properties of a session are
The most important operator for the also the guaranteed properties of a link
composition of networks is layering, the session implements. For example,
which is simply what happens when the best-known service of IP networks
one network uses the services of an- is implemented by the session proto-
other network, in exactly the sense dis- col TCP. A user of TCP sends a stream
cussed earlier. More specifically, a link of bytes, and this byte stream must be
in a user network is implemented by a received by the user at the other end of
session in a used network. the session with no bytes missing or
A usage hierarchy is a directed acy- duplicated, and all in the same order in
clic graph whose nodes are networks which they were sent.
and whose edges represent composi- In the case of TCP the work need-
tion by link implementation. A level ed to satisfy this specification is per-
in this graph is a set of networks that formed by the protocol implementa-
all have the same graph distance from tion in the network members at the
some reference point. This definition endpoint machines. IP/TCP packet
will be refined further. headers have a session identifier (the
For example, Figure 3 is derived four-tuple with both names and both
from a usage hierarchy, with the levels ports) and a user network (the destina-
of the graph being represented by ver- tion port or “well-known port”). The
tical placement. The bidirectional link network has a maximum transmission
between 2.7 and 2.8 in the campus IP unit limiting the size of IP packets. So
network is implemented by a bidirec- the TCP implementation at the source
tional session in the administrators’ accepts a byte substream, disassem-
VLAN that follows the path shown be- bles it into IP packets, encapsulates
tween M7 and M8. The link between M7 each packet in the TCP/IP header, and
and M4 in the VLAN is implemented by sends it through the network. When
a session in the left physical LAN fol- the TCP implementation at the des-
lowing the spanning-tree path between tination receives packets, it decapsu-
M7 and M4. Note that machines have lates them by removing the TCP/IP
distinct members in VLANs and LANs, header, requests retransmissions of
even though those networks happen to missing substreams, assembles a com-
use the same Ethernet design and the plete substream in byte order, and de-
same namespace. livers it to the receiver.
Consider the right LAN in Figure 3. Names and directories. Classic de-
It links machines in both the students’ scriptions of the Internet associate
and administrators’ groups, so it must “domain names” with the application
implement links in at least two VLANs. layer, IP “addresses” with the net-
When the destination of a session work layer, and MAC addresses with
in this LAN receives a packet, which the link layer. In the new model ev-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 83
review articles

ery network simply has a namespace, aggregates of sessions. In general, the single administrative authority, which
and network members have names in properties fall into four categories: is responsible for providing the net-
the namespaces of their networks. In ˲˲ Reachability properties specify which work’s services with their specified
the literature of networking, names receivers a member can send packets to. properties. Bridging is a composition
in various networks are also referred ˲˲ Performance properties specify operator in which sessions or services
to as “service names,” “identifiers,” quantities such as maximum laten- are implemented by a set of networks
and “locations.” cy, minimum bandwidth, maximum chained end-to-end. With bridging,
In every instance of layering compo- packet loss rate, and faults tolerated. the two endpoints of a session can be
sition, a network A uses a network B. ˲˲ Behavioral properties are more ser- members of different networks. The
Some members of A must be running vice-specific. In addition to TCP guar- public Internet consists of a large num-
on the same machines as members antees, they include synchronization, ber of autonomous IP networks, com-
of B, and interfacing with them to get load balancing among user endpoints, posed by bridging.
network services. If B must set up ses- and the requirement that a session There are several variations on
sions dynamically to serve A, then there must persist despite physical mobility bridging, depending on how much
must be a directory mapping names in of one or both endpoint machines. structure the bridged networks share.
A to the names of the members of B ˲˲ Security properties are diverse. For In the simplest case two bridged net-
on the same machines. For example, example, access control is the negation works have identical designs and pro-
a Web request is sent from a client to of reachability. Denial-of-service protec- tocols, names of all network members
a server having a domain name in the tion supports availability. Security prop- are unique across both networks, and
Web namespace. For an IP network erties on individual sessions include members of both networks have access
to implement this communication, it endpoint authentication, data confi- to the routing and directories of the
must discover the network name (IP dentiality, data integrity, and privacy. other. In this simple case, the networks
address) of the server, which will be the In addition to providing specified can be bridged by shared links, and
destination of the TCP session carrying services, network designers and opera- little changes except that the reach of
the request. DNS is the directory pro- tors are also concerned with efficient both networks is extended. This is how
viding this information.c resource allocation, so that the services public IP networks are bridged.
The new model does not constrain are provided at minimal cost. In other cases, bridged networks
internal implementation details of Basic reasoning about composition are less similar. They may have differ-
networks. For example, although most by layering is easy to explain. There ent or overlapping namespaces. They
networks store member-specific for- should be a one-to-one mapping be- may have unshared routing, unshared
warding tables in individual members, tween implemented links and imple- directories, or other barriers. In these
in SEATTLE there is a single (although menting sessions. The packet load cases a member of one network can
distributed) forwarding table used by on the link, possibly fragmented into still reach a member of a bridged net-
all members.15 And although many smaller packets, becomes the packet work, but only with the addition of
networks have centralized directories, load on the implementing session. The compound sessions. A compound ses-
in Ethernets the directory information guaranteed properties of the session sion is simply a session in which there
obtained from the Address Resolu- become the assumed properties of the is at least one middlebox acting as a
tion Protocol is cached in individual implemented link. joinbox. The joinbox serves as a des-
members. Thus forwarding state and Although such rigor is not always tination for one simple session and
directory state cannot always be dis- needed, it should be possible to reason a source for another simple session,
tinguished by the way they are imple- that a network satisfies its service spec- and maintains state that associates the
mented. But they can always be dis- ifications, and that its use of resources two simple sessions so it can forward
tinguished by what they are mapping: is close to optimal. Network design- packets from one to the other.d If two
forwarding state maps destination ers have been very successful at this, bridged networks have incompatible
names to members/names in the same at least with respect to performance session protocols, then a joinbox, act-
network, while directory state maps properties. They have learned to ab- ing as a protocol converter, must be the
names from one network to names in stract the effects of used and using shared element between them.
another network. networks, and have developed effective We will now introduce a simple, fa-
Service properties and composi- optimization algorithms and tools for miliar example, which will illustrate
tional reasoning. A network offers to self-contained networks. bridging, trust, and service verifica-
its users one or more communication Reachability, behavioral, and se- tion. Figure 4 shows two private net-
services, each specified as a set of prop- curity properties are not so well un- works communicating through the
erties, and some associated with the derstood. Next, we discuss examples public Internet, although their rela-
use of specific session protocols. Some in which the new model captures the tionships to the public Internet are
properties are defined on individual structures and relationships needed
sessions, while others are defined on for reasoning compositionally about
these properties. d A joinbox must change at least one of the
source or destination in the session header;
c In cases where DNS maps a domain name to it may or may not be a “proxy,” which is a ses-
the server nearest the client, the domain name Bridging and Security sion-protocol endpoint. For example, the NAT
does not uniquely identify a server. Bridging. In our model a network has a in Figure 4 is a joinbox and not a proxy.

84 COMMUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

not symmetric. In this example an porary address U within the enterprise and enterprise gateway have network
employee’s laptop using the private network. At this point the laptop can members that are not trusted by their
IP network in a coffee shop is con- initiate a session with compute server Internet providers, but are trusted by
nected to the public Internet through W, using TCP as the session protocol in the enterprise. The VPN server does
bridging. At a higher level, using vir- the higher-level IP network. not allow the laptop’s member U to
tual private network (VPN) technol- Verification of trustworthy services. join the enterprise network until it
ogy layered on top of the previous net- To prove security properties, some enti- shows that it is trustworthy by sending
works, the laptop joins the employer’s ties must have responsibilities and be secret credentials.
private enterprise network, and ac- trusted to fulfill them. Normally the en- This VPN architecture enforces two
cesses a compute server within it. We tity that is trusted is a machine because security properties:
will look at the bridging first. the whole machine has a single owner,e ˲˲ Only packets originating at mem-
It has been a long time since there but trusted to do what, and by whom? bers of the enterprise network should
has been enough room in the IPv4 32- A machine can have members of mul- be allowed to reach W.
bit namespace to give every networked tiple networks, and in each network its ˲˲ All enterprise data being transmit-
machine a unique name. Outright member can play a different role. ted outside the walls of the enterprise
exhaustion of the namespace was de- In networks bridged together in should have confidentiality and integ-
layed by the fact that most private net- and with the public Internet, as on rity, meaning that no external agent
works reuse the same set of private IP the lower level of Figure 4, a network’s can read or alter the data.
addresses. The cost of this strategy is administrative authority owns routers The second property is guaranteed
that private IP addresses are ambigu- (and other infrastructure machines) by the IPsec implementation of dy-
ous except in their local context, and a and trusts them to behave as specified. namic links outside enterprise walls.
machine with a private address cannot Because the administrative authority To prove the first property, it is nec-
be reached from outside its local net- does not trust the user members (end- essary to establish that only packets
work except with a compound session. points), the behavior of the routers and transmitted on links in the enterprise
In Figure 4, the joinbox for the other infrastructure machines should network (which is not bridged to oth-
compound session is the coffee be sufficient to provide the specified er networks) are forwarded to W. The
shop’s IP router, which incorporates services in cooperation with well-be- easiest way to prove this is to rely on
the functionality of network address haved endpoints, and to protect the the fact that dynamic links of the en-
translation (NAT). The bidirectional network from ill-behaved endpoints. terprise network are associated with
compound session is initiated from Beyond the technical sources of trust, specific lower-level sessions. Then it
the private address X, to public ad- economic relationships provide in- is only necessary to check—no matter
dress S. Upon receiving the session- centives for administrative authorities what packets the public Internet deliv-
initiating packet, the NAT/router to ensure that networks satisfy their ers to its member S—that the member
alters it before forwarding, thus mak- service specifications.6 drops all received packets unless they
ing an outgoing session with its own In Figure 4, the employee’s laptop belong to sessions implementing dy-
public address N as the source. When namic links.
S accepts this session and sends e These terms must be refined slightly to apply
The VPN example is especially sim-
packets in the reverse direction, it to clouds, in which a machine hosts virtual ple because the security mechanisms
uses reachable N as the destination machines. at both levels are implemented on the
rather than unreachable X. In this
Figure 4. VPN architecture.
figure, the dark-gray box represents
the public Internet as one network,
Public names are in boldface red, while private names are not. Light-gray boxes
ignoring the fact it is really a bridging show attachments of members within the same machine.
of many networks. Bridging is shown
explicitly by the link and session Employee’s Enterprise Compute
across a network boundary. In the us- Laptop Private Enterprise IP Network Gateway Server
age hierarchy, the enterprise network TCP Session
uses both lower-level networks. Source = U, Dest = W
At the higher level of Figure 4, the U
Vpn
W
Dynamic, Encrypted Link Server S Links Inside
enterprise network is also a private IP Enterprise
network, with private addresses U and
W, and public address S. The laptop
joins the enterprise network by creat- Source = X, Dest = S Source = N, Dest = S IPec Two-way
Compound
ing a dynamic link to the VPN server. Session
The link is implemented by the IPsec Nat/
X Router S
session, so that packets are transmit- Router N
ted in encrypted and authenticated
form. The VPN server authenticates the Private IP Network in a Coffee Shop Public Internet
laptop, which has secret credentials is-
sued by the enterprise, and gives it tem-

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 85
review articles

same machine. The same verification provided that we remember they are packets and do not behave as session
pattern works for more complex secu- approximate abstractions with local- endpoints. The middleboxes adver-
rity mechanisms, however. The com- ized exceptions. tise the mobile range of IP addresses
mon structures are a secure network Mobility is a network service that into the public Internet, which means
layered on top of the public Internet, preserves reachability to a network each packet destined for an address
and a packet-filtering mechanism member, and may even preserve the in this range will be forwarded to one
that prevents harm (including denial- member’s ongoing sessions, even of them. The LISP-MN network has a
of-service attacks) at the level of the though the member’s machine is mov- directory mapping identifiers of mo-
public Internet.1 The secure overlay ing. One kind of mobility is provided bile nodes to their current locations.
carries only approved packets, as en- by LISP Mobile Node8,9 (for a survey When such a middlebox receives its
forced by its ingress members. The of all kinds of mobility, see Zave and first packet for ident2 (or first in a long
packet filters are on different ma- Rexford23). With LISP-MN, a machine time), it gets ident2’s location loc2
chines, and need only have enough has a network member with a persis- from the directory, creates a dynamic
knowledge to reject packets not be- tent IP address called an “identifier.” link to ident2, and forwards the pack-
longing to sessions implementing In a lower-level IP network, the ma- et on it. Subsequent packets to ident2
links of the overlay. chine has a member with a temporary, use the same link.
These examples barely scratch location-dependent IP address called The LISP-MN network is layered
the surface of network security. Nev- a “location.” As a new and lightweight on top of the public Internet, so that
ertheless, a broad survey of security way to provide mobility, LISP-MN must dynamic LISP links are implemented
mechanisms24 has shown that the interoperate with the public Internet. by public UDP sessions. On the same
compositional model is important for Figure 5 shows how. As in Figure 4, the machines as the three members of the
understanding all aspects of security, public Internet is depicted as if it were LISP-MN network there are members
and for working toward a comprehen- one network. of the public Internet with IP address-
sive proof framework. The model is es- At the top level of this figure, the es addr3, addr4, and loc2, and these
pecially valuable for discovering how public Internet is bridged with a LISP- are the endpoints of the UDP sessions.
security interacts with other aspects MN network, which is a specialized IP When a mobile node changes its loca-
of network architecture such as ses- network. The LISP-MN network owns tion, it notifies all the middleboxes
sion protocols, routing, virtualization, a range of IP addresses, from which with which it has dynamic links, and
and middleboxes. identifiers are drawn. Because of the also updates the directory. The UDP
bridging, a legacy host with IP address sessions will move to the new location,
The Usage Graph addr1 has been able to initiate a TCP but the LISP-MN links will remain.
One of the most interesting aspects session with a mobile node whose Like Figures 3 and 4, Figure 5 uses
of composition is that sometimes the identifier is ident2. vertical position to imply a usage
“usage hierarchy” is a convenient fic- The shared elements for bridging graph. In this usage graph, the LISP-
tion, because composition creates a are the unlabeled middleboxes. In MN network is both bridged with the
usage graph with cycles. It is still useful both networks these middleboxes re- public Internet (at the same level) and
to think in terms of usage hierarchies, semble IP routers, in that they forward layered on it. To avoid drawing the
cycle, we depict the public Internet in
Figures 5. The interoperation of LISP-MN with the public Internet. two places. This graph shows a com-
mon pattern for interoperation of
Each link (solid line), session (dashed line), or path of links and forwarders (solid
line broken with dots) is labeled above with the source of the packets traveling on special-purpose IP networks with the
it, and below with their destinations. public Internet.
Figure 3 is another example of a us-
TCP session age graph with a cycle in it. As in Fig-
ure 5, rather than drawing a cycle, we
addr1 addr1 mobile have put a network— here the campus
legacy node
host ident2 ident2 IP network—in the figure twice. At the
LISP-MN
(IP) bottom level of the figure, the only
addr1 ident2
network physical connection between LANs
ident2 ident2
is the campus IP network. The link
addr1 addr1 shown is exactly the same as the link
between 0.4 and 0.5 at the top level of
the figure. When an IP packet is sent
addr3
from source 2.7 to destination 2.8,
public addr3 it is encapsulated in a VLAN header
Internet loc2
loc2 with source M7 and destination M8.
addr4 loc2 When that packet is traversing the
UDP VLAN link between M4 and M5, it is
addr4 sessions
further encapsulated in an IP header
with source 0.4 and destination 0.5.

86 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

This packet format is called the “VX- ogy of a network might be dictated by References
LAN” format. security partitions (VLANs) or by paths 1. Andersen, D.G. Mayday: Distributed filtering for Internet
services. In Proceedings of the 4th USENIX Symposium
Special-purpose virtual links in IP through required middleboxes, as well on Internet Technologies and Systems, 2013.
networks are often called “tunnels.” as by physical connectivity. 2. Andersen, D.G. Balakrishnan, H., Feamster, N.,
Koponen, T., Moon, D. and Shenker, S. Accountable
Our model provides a structured view Layered networks hide informa- Internet Protocol (AIP). In Proceedings of ACM
of tunnels, clarifying the roles of net- tion, which can make problem diagno- SIGCOMM, 2008.
3. Benson, T., Akella, A., Shaikh, A. and Sahu, S.
work members at the upper and lower sis very difficult.19 On the other hand, Clous-NaaS: A cloud networking platform for
levels of tunnel endpoints, the state separation of concerns into different enterprise applications. In Proceedings of the 2nd ACM
Symposium on Cloud Computing, 2011.
that each network member requires, networks is a way of taming complex- 4. Blumenthal, M.S. and Clark, D.G. Rethinking the design
and the fields that must be present in ity. This is especially obvious when net- of the Internet: The end-to-end arguments vs. the
brave new world. ACM Trans. Internet Technology 1, 1
packet headers. This uniformity across works are being added for the second (Aug. 2001), 70-–109.
levels can explain confusing designs reason, and distinct topologies (for 5. Clark, D.D. The design philosophy of the DARPA
Internet protocols. In Proceedings of ACM SIGCOMM,
and make them analyzable. For ex- example) are maintained by distinct 1988. ACM.
6. Clark, D.D., Wroclawski, J., Sollins, K.R. and Braden, R.
ample, even though a network can use networks. Also, very often, it is more ef- Tussle in cyberspace: Defining tomorrow’s Internet. IEEE/
itself in a usage graph, a network link ficient to compose two networks than ACM Trans. Networking 13, 3 (June 2005), 462–475.
7. Day, J. Patterns in Network Architecture: A Return to
must never use itself. to intertwine distinct structures in the Fundamentals. Prentice Hall, 2008.
same network. This is illustrated well 8. Farinacci, D., Fuller, V., Meyer, D. and Lewis, D. The
Locator/ID Separation Protocol (LISP). IETF Request
Potential Benefits by Qazi et al.,16 which shows that the for Comments 6830. (Jan. 2013).
of the Compositional Model conflation of a middlebox topology and 9. Farinacci, D., Lewis, D., Meyer, D., and White, C. 2017.
LISP Mobile Node. IETF Network Working Group
Since 1993, the Internet has evolved a physical topology would cause a com- Internet Draft draft-ietf-lisp-mn-04. (Oct. 2017).
by means of new networks and new binatorial explosion of router state. 10. Feamster, N., Rexford, J. and Zegura, E. The road to SDN:
An intellectual history of programmable networks. ACM
compositions. The Internet today is a The most immediate potential Queue; https://queue.acm.org/detail.cfm?id=2560327.
vast collection of networks comprised benefits of the new model are based 11. Fuller, V., Li, T., Yu, J. and Varadhan, K. Classless inter-
domain routing (CIDR): An address assignment and
in a rich variety of ways by layering and on its capacity to explain the com- aggregation strategy. IETF Network Working Group
bridging, including being composed plexity that is already present and Request for Comments 1519. (1993).
12. Handley, M. Why the Internet only just works. BT
with themselves. Networks are easy to must be dealt with. The model can Technology Journal 24, 3 (July 2006), 119–129.
be formalized through analytic tools 13. ITU. Information Technology—Open Systems
add locally (campus networks, cloud Interconnection—Basic Reference Model: The basic
computing) or at high levels of the ap- and reasoning technology, in sup- model. ITU-T Recommendation X.200. (1994).
14. Karsten, M., Keshav, S. and Prasad, S. An axiomatic
proximate usage hierarchy (mobility, port of robustness and verification of basis for communication. In Proceedings of HotNets-V,
distributed systems). They are slower trustworthy services. We also believe 2006. ACM.
15. Kim, C., Caesar, M. and Rexford, J. SEATTLE: A
to disseminate when both global and the model should be used in gradu- scalable Ethernet architecture for large enterprises.
low in the hierarchy (IPv6). ate-level teaching, to cover a wider va- ACM Trans. Computer Systems 29, 1 (2011).
16. Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V. and Yu,
This evolution, while necessary to riety of networks in a shorter period M. SIMPLE-fying middlebox policy enforcement using
keep up with increased demand, new of time, and to encourage recogni- SDN. In Proceedings of ACM SIGCOMM. 2013.
17. Roscoe, T. The end of Internet architecture. In
technology, and many new require- tion of patterns and principles. Proceedings of the 5th Workshop on Hot Topics in
ments, has created tremendous com- Next, the model has the potential to Networks, 2006.
18. Saltzer, J., Reed, D. and Clark, D.D. End-to-end
plexity. First and foremost, our com- improve current design and develop- arguments in system design. ACM Trans. Computer
positional model describes the current ment of software-defined networks. Systems 2, 4 (Nov. 1984), 277–288.
19. Spatscheck, O. Layers of success. IEEE Internet
complex Internet as precisely as the Reusable patterns would both increase Computing 17, 1 (2013), 3–6.
classic Internet architecture described the availability of different points in a 20. Venkataramani, A., Kurose, J.F., Raychaudhuri,
D., Nagaraja, K., Banerjee, S. and Mao, Z.M.
the Internet of 1993. Because it is in- trade-off space, and make each easier MobilityFirst: A mobility-centric and trustworthy
Internet architecture. ACM SIGCOMM Computer
herently modular, it also has the poten- to deploy by means of reusable or gener- Communication Review 44, 3 (July 2014), 74–80.
tial to organize, explain, and simplify ated software. Optimizations should be- 21. Wang, Y., Matta, I., Esposito, F. and Day, J. Introducing
ProtoRINA: A prototype for programming recursive-
as well as to describe. come easier to apply, because the mod- networking policies. ACM SIGCOMM Computer
Based on our experience applying the el can help us reason that they are safe. Communications Review 44, 3 (July 2014).
22. Yu, M., Rexford, J., Sun, X., Rao, S. and Feamster, N.
model to many kinds of networks and Finally, a compositional model may A survey of virtual LAN usage in campus networks.
aspects of networking, there are two pri- help us to find a simpler future Inter- IEEE Communications 49, 7 (July 2011), 98–103.
23. Zave, P. and Rexford, J. The design space of network
mary reasons for adding a new network net architecture that truly meets fore- mobility. In Recent Advances in Networking,
to the global Internet architecture: seeable requirements and might even Olivier Bonaventure and Hamed Haddadi (Eds). ACM
SIGCOMM, 2013.
˲˲ The network provides a specialized adapt to unforeseeable ones. Perhaps, 24. Zave, P. and Rexford, J. Network Security; https://
service or unusual cost/performance with study of compositional principles www.cs.princeton.edu/courses/archive/fall18/cos561/
papers/Security18.pdf.
trade-off through mechanisms that are and compositional reasoning, we can 25. Zhang, L., Afanasyev, A., Burke, J. and Jacobson, V.
not compatible with the general-pur- discover optimal uses of composition, Named Data Networking. ACM SIGCOMM Computer
Communication Review 44, 3 (July 2014), 66–73.
pose classic Internet design. in configurations that exploit its ben-
˲˲ There is a need for two different efits and ameliorate its disadvantages. Pamela Zave ([email protected]) is a researcher
instances of a network structure with This could be the basis of network ar- in the Department of Computer Science at Princeton
University, Princeton, NJ, USA.
two different purposes. As in LISP-MN, chitectures that offer both flexibility
Jennifer Rexford ([email protected]) is the Gordon Y.S.
member names might be either per- and manageability. Pushing Internet Wu Professor of Engineering in the Department of Computer
manent identifiers or temporary loca- evolution in this direction would be a Science at Princeton University, Princeton, NJ, USA.

tions. For another example, the topol- truly worthy goal. © 2019 ACM 0001-0782/19/3

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 87
review articles
DOI:10.1145/ 3232535
While crude, worst-case analysis
The need for deeply understanding can be tremendously useful, and it is
the dominant paradigm for algorithm
when algorithms work (or not) analysis in theoretical computer sci-
has never been greater. ence. A good worst-case guarantee
is the best-case scenario for an algo-
BY TIM ROUGHGARDEN rithm, certifying its general-purpose
utility and absolving its users from un-

Beyond
derstanding which inputs are relevant
to their applications. Remarkably, for
many fundamental computational
problems, there are algorithms with

Worst-Case
excellent worst-case performance
guarantees. The lion’s share of an un-
dergraduate algorithms course com-
prises algorithms that run in linear or

Analysis
near-linear time in the worst case.
For many problems a bit beyond
the scope of an undergraduate course,
however, the downside of worst-case
analysis rears its ugly head. Here, I
review three classical examples where
worst-case analysis gives misleading
or useless advice about how to solve a
problem; further examples in modern
machine learning are described later.
COMPARING D IFFE RE NT ALG O RI T H MS is hard. For These examples motivate the alterna-
almost any pair of algorithms and measure of tives to worst-case analysis described
in the article.b
algorithm performance like running time or solution The simplex method for linear
quality, each algorithm will perform better than the programming. Perhaps the most fa-
mous failure of worst-case analysis
other on some inputs.a For example, the insertion sort concerns linear programming, the
algorithm is faster than merge sort on already-sorted problem of optimizing a linear func-
arrays but slower on many other inputs. When two
b For many more examples, analysis frame-
algorithms have incomparable performance, how can works, and applications, see the author’s lec-
we deem one of them “better than” the other? ture notes.36

Worst-case analysis is a specific modeling choice

key insights
in the analysis of algorithms, where the overall
˽˽ Worse-case analysis takes a "Murphy's
performance of an algorithm is summarized by its Law" approach to algorithm analysis,
worst performance on any input of a given size. The which is too crude to give meaningful
algorithmic guidance for many
“better” algorithm is then the one with superior worst- important problems, including linear
programming, clustering, caching,
case performance. Merge sort, with its worst-case and neural network training.

asymptotic running time of Θ(n log n) for arrays of ˽˽ Research going "beyond worst-case
analysis" articulates properties of
length n, is better in this sense than insertion sort, realistic inputs, and proves rigorous and
meaningful algorithmic guarantees for
which has a worst-case running time of Θ(n2). inputs with these properties.
˽˽ Much of the present and future
a In rare cases a problem admits an instance-optimal algorithm, which is as good as every other al- research in the area is motivated by
gorithm on every input, up to a constant factor.23 For most problems, there is no instance-optimal the unreasonable effectiveness
algorithm, and there is no escaping the incomparability of different algorithms. of machine learning algorithms.

88 COM MUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 tion subject to linear constraints This robust empirical performance value. The running time of the simplex
(Figure 1). Dantzig’s simplex method suggested the simplex method might method is polynomial for all practical
is an algorithm from the 1940s that well solve every linear program in a purposes, despite the exponential pre-
COLL AGE BY A NDRIJ BO RYS ASSOCIATES/ SH UTT ERSTO CK

solves linear programs using greedy polynomial amount of time. diction of worst-case analysis.
local search on the vertices on the In 1972, Klee and Minty showed by To add insult to injury, the first
solution set boundary, and variants example that there are contrived linear worst-case polynomial-time algo-
of it remain in wide use to this day. programs that force the simplex meth- rithm for linear programming, the
The enduring appeal of the simplex od to run in time exponential in the ellipsoid method, is not competitive
method stems from its consistently number of decision variables (for all of with the simplex method in practice.c
superb performance in practice. Its the common “pivot rules” for choosing
running time typically scales modest- the next vertex). This illustrates the first
c Interior-point methods, developed five years
ly with the input size, and it routinely potential pitfall of worst-case analysis: later, lead to algorithms that both run in
solves linear programs with millions overly pessimistic performance pre- worst-case polynomial time and are competi-
of decision variables and constraints. dictions that cannot be taken at face tive with the simplex method in practice.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 89
review articles

Figure 1. A two-dimensional linear zation problems that are defined over ing that recently requested pages are
programming problem. clusterings are NP-hard. likely to be requested again soon. The
In practice, clustering is not viewed LRU policy uses the recent past as a
as a particularly difficult problem. prediction for the near future. Empiri-
Lightweight clustering algorithms, like cally, it typically suffers fewer cache
Lloyd’s algorithm for k-means and its misses than competing policies like
Optimum variants, regularly return the intuitive- first-in first-out (FIFO).
ly “correct” clusterings of real-world Sleator and Tarjan37 founded the
point sets. How can we reconcile the area of online algorithms, which are
Objective
function
worst-case intractability of clustering algorithms that must process their in-
problems with the empirical success of put as it arrives over time (like cache
Feasible region
relatively simple algorithms?d policies). One of their first observa-
One possible explanation is that tions was that worst-case analysis,
clustering is hard only when it doesn’t straightforwardly applied, provides
matter.18 For example, if the difficult no useful insights about the perfor-
instances of an NP-hard clustering mance of different cache replace-
Figure 2. One possible way to group data problem look like a bunch of random ment policies. For every determinis-
points into three clusters. unstructured points, who cares? The tic policy and cache size k, there is a
common use case for a clustering al- pathological page request sequence
gorithm is for points that represent that triggers a page fault rate of 100%,
images, or documents, or proteins, even though the optimal clairvoyant
or some other objects where a “mean- replacement policy (known as Bé-
ingful clustering” is likely to exist. lády’s algorithm) would have a page
Could instances with a meaningful fault rate of at most (1/k)%. This ob-
clustering be easier than worst-case servation is troublesome both for its
instances? This article surveys recent absurdly pessimistic performance
theoretical developments that sup- prediction and for its failure to differ-
port an affirmative answer. entiate between competing replace-
Cache replacement policies. Con- ment policies (like LRU vs. FIFO). One
sider a system with a small fast mem- solution, discussed next, is to choose
ory (the cache) and a big slow memory. an appropriately fine-grained param-
Data is organized into blocks called eterization of the input space and to
pages, with up to k different pages assess and compare algorithms using
Taken at face value, worst-case analy- fitting in the cache at once. A page parameterized guarantees.
sis recommends the ellipsoid method request results in either a cache hit
over the empirically superior simplex (if the page is already in the cache) Models of Typical Instances
method. One framework for narrow- or a cache miss (if not). On a cache Maybe we shouldn’t be surprised that
ing the gap between these theoretical miss, the requested page must be worst-case analysis fails to advocate
predictions and empirical observa- brought into the cache. If the cache LRU over FIFO. The empirical supe-
tions is smoothed analysis, discussed is already full, then some page in it riority of LRU is due to the special
later in this article. must be evicted. A cache policy is structure in real-world page request
Clustering and NP-hard optimiza- an algorithm for making these evic- sequences—locality of reference—and
tion problems. Clustering is a form tion decisions. Any systems textbook traditional worst-case analysis pro-
of unsupervised learning (finding pat- will recommend aspiring to the least vides no vocabulary to speak about this
terns in unlabeled data), where the recently used (LRU) policy, which structure.e This is what work on “be-
informal goal is to partition a set of evicts the page whose most recent yond worst-case analysis” is all about:
points into “coherent groups” (Figure reference is furthest in the past. The articulating properties of “real-world”
2). One popular way to coax this goal same textbook will explain why: real- inputs, and proving rigorous and mean-
into a well-defined computational world page request sequences tend ingful algorithmic guarantees for inputs
problem is to posit a numerical objec- to exhibit locality of reference, mean- with these properties.
tive function over clusterings of the Research in the area has both a
point set, and then seek the clustering scientific dimension, where the goal
d More generally, optimization problems are
with the best objective function value. more likely to be NP-hard than not. In many
is to develop transparent mathemati-
For example, the goal could be to cases, even computing an approximately op-
choose k cluster centers to minimize timal solution is an NP-hard problem (see e If worst-case analysis has an implicit model of
the sum of the distances between Trevisan36 for example). Whenever an efficient data, then it’s the “Murphy’s Law” data model,
points and their nearest centers (the algorithm for such a problem performs bet- where the instance to be solved is an adversari-
ter on real-world instances than (worst-case) ally selected function of the chosen algorithm.
k-median objective) or the sum of the complexity theory would suggest, there’s an Outside of cryptographic applications, this is
squared such distances (the k-means opportunity for a refined and more accurate a rather paranoid and incoherent way to think
objective). Almost all natural optimi- theoretical analysis. about a computational problem.

90 COMMUNICATIO NS O F TH E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

cal models that explain empirically fault rate of the LRU policy is at most goal is to partition the vertices V of a
observed phenomena about algo- αf (k). graph G with edges E and nonnega-
rithm performance, and an engineer- (b) There exists a choice of f and tive edge weights into two groups,
ing dimension, where the goals are k, and a page request sequence that while maximizing the total weight of
to provide accurate guidance about conforms to f, such that the page fault the edges that have one endpoint in
which algorithm to use for a problem rate of the FIFO policy is strictly larger each group. The reduction forms a
and to design new algorithms that than αf (k). complete graph G, with vertices cor-
perform particularly well on the rel- Parts (a) and (b) prove the worst-case responding to the data points, and
evant inputs. optimality of the LRU policy in a strong assigns a weight we to each edge e in-
One exemplary result in beyond sense, f-by-f and k-by-k. Part (c) differ- dicating how dissimilar its endpoints
worst-case analysis is due to Albers entiates LRU from FIFO, as the latter are. The maximum cut of G is a 2-clus-
et al.,2 for the online paging problem is suboptimal for some (in fact, many) tering that tends to put dissimilar pairs
described in the introduction. The key choices of f and k. of points in different clusters.
idea is to parameterize page request The guarantees in Theorem 1 are so There are many ways to quantify
sequences according to how much good that they are meaningful even “dissimilarity” between images, and
locality of reference they exhibit, and when taken at face value—for sub- different definitions might give differ-
then prove parameterized worst-case linear f’s, αf (k) goes to 0 reasonably ent optimal 2-clusterings of the data
guarantees. Refining worst-case anal- quickly with k. For example, if f (w) points. One would hope that, for a
ysis in this way leads to dramatically = [√w], then αf (k) scales with 1/√k. range of reasonable measures of dis-
more informative results.f Thus, with a cache size of 10,000, the similarity, the maximum cut in the
Locality of reference is quantified page fault rate is always at most 1%. If example above would have all cats on
via the size of the working set of a page f (w) = [1 + log2 w], then αf (k) goes to 0 one side and all dogs on the other. In
request sequence. Formally, for a func- even faster with k, roughly as k/2k.h other words, the maximum cut should
tion f : N → N, we say that a request be invariant under minor changes to
sequence conforms to f if, in every win- Stable Instances the specification of the edge weights
dow of w consecutive page requests, at Are point sets with meaningful cluster- (Figure 3).
most f (w) distinct pages are requested. ings easier to cluster than worst-case Definition 2 (Bilu and Linial12). An
For example, the identity function f (w)= w point sets? Here, we describe one way instance G = (V, E, w) of the maximum
imposes no restrictions on the page re- to define a “meaningful clustering,” cut problem is γ-perturbation stable if,
quest sequence. A sequence can only due to Bilu and Linial;12 for others, see for all ways of multiplying the weight we
conform to a sublinear function like Ackerman and Ben-David,1 Balcan et of each edge e by a factor ae ∈ [1, γ], the
f (w) = [√w] or f (w) = [1 + log2 w] if it ex- al.,9 Daniely et al.,18 Kumar and Kan- optimal solution remains the same.
hibits locality of reference.g nan,29 and Ostrovsky et al.34 A perturbation-stable instance
The following worst-case guarantee The maximum cut problem. Sup- has a “clearly optimal” solution—
is parameterized by a number αf (k), be- pose you have a bunch of data points a uniqueness assumption on ste-
tween 0 and 1, that we discuss shortly; representing images of cats and im- roids—thus formalizing the idea of a
recall that k denotes the cache size. It ages of dogs, and you would like to au- “meaningful clustering.” In machine
assumes that the function f is “con- tomatically discover these two groups. learning parlance, perturbation sta-
cave” in the sense that the number One approach is to reduce this task to bility can be viewed as a type of “large
of inputs with value x under f (that is, the maximum cut problem, where the margin” assumption.
|f -1(x)|) is nondecreasing in x. The maximum cut problem is NP-
h See Albers et al.2 for the precise closed-form hard in general. But what about the
Theorem 1 (Albers et al.2) formula for αf (k) in general. special case of γ-perturbation-stable in-
(a) For every f and k and every determinis-
tic cache replacement policy, the worst- Figure 3. In a perturbation-stable maximum cut instance, the optimal solution is invariant
under small perturbations to the edges’ weights.
case page fault rate (over sequences that
conform to f) is at least αf (k).
(a) For every f and k and every
sequence that conforms to f, the page
3 3

f Parameterized guarantees are common in the

analysis of algorithms. For example, the field of
3 3 3 3
parameterized algorithms and complexity has 1 1 2 2
developed a rich theory around parameterized
running time bounds (see the book by Cygan
et al.16). Theorem 1 employs an unusually fine-
grained and problem-specific parameteriza-
3 3
tion, and in exchange obtains unusually accu-
rate and meaningful results.
g The notation [x] means the number x, round-
ed up to the nearest integer.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 91
review articles

stances? As γ increases, fewer and few- instances, these results give a precise
er instances qualify as γ-perturbation sense in which clustering is hard only
stable. Is there a sharp stability thresh- when it doesn’t matter.k
old—a value of γ where the maximum Overcoming NP-hardness. Polynomial-
cut problem switches from NP-hard to
polynomial-time solvable? The unreasonable time algorithms for γ-perturbation-
stable instances continue the age-old
Makarychev et al.30 largely resolved
this question. On the positive side,
effectiveness of tradition of identifying “islands of
tractability,” meaning polynomial-
they showed that if γ is at least a slowly modern machine time solvable special cases of NP-hard
growing function of the number of ver-
tices n, then the maximum cut prob-
learning algorithms problems. Two aspects of these re-
sults diverge from a majority of 20th
lem can be solved in polynomial time has thrown down century research on tractable special
for all γ-perturbation stable instances.i
Makarychev et al. use techniques from
the gauntlet cases. First, perturbation-stability is
not an easy condition to check, in con-
the field of metric embeddings to show to algorithms trast to a restriction like graph planar-
that, in such instances, the unique op-
timal solution of a certain semidefinite researchers, ity or Horn-satisfiability. Instead, the
assumption is justified with a plausi-
programming relaxation corresponds and there is ble narrative about why “real-world
precisely to the maximum cut.j Semi-
definite programs are convex pro- perhaps no other instances” might satisfy it, at least
approximately. Second, in most work
grams, and can be solved to arbitrary
precision in polynomial time. There is
problem domain going beyond worst-case analysis, the
goal is to study general-purpose algo-
also evidence that the maximum cut with a more rithms, which are well defined on all
cannot be recovered in polynomial
time in γ-perturbation-stable instances
urgent need inputs, and use the assumed instance
structure only in the algorithm analy-
for much smaller values of γ.30 for the beyond sis (and not explicitly in its design).
Other clustering problems. Bilu
and Linial12 defined γ-perturbation- worst-case The hope is the algorithm continues
to perform well on many instances
stable instances specifically for the approach. not covered by its formal guarantee.
maximum cut problem, but the defi- The results here for mathematical
nition makes sense more generally programming relaxations and single-
for any optimization problem with a linkage-based algorithms are good ex-
linear objective function. The study amples of this paradigm.
of γ-perturbation-stable instances has Analogy with sparse recovery. There
been particularly fruitful for NP-hard are compelling parallels between the
clustering problems in metric spaces, recent research on clustering in stable
where interpoint distances are re- instances and slightly older results in
quired to satisfy the triangle inequal- a field of applied mathematics known
ity. Many such problems, including as sparse recovery, where the goal is
the k-means, k-median, and k-center to reverse engineer a “sparse” object
problems, are polynomial-time solv- from a small number of clues about
able already in 2-perturbation-stable it. A common theme in both areas is
instances.5,10 The algorithm in An- identifying relatively weak conditions
gelidakis et al.,5 like its precursor in under which a tractable mathemati-
Awasthi et al.,8 is inspired by the well cal programming relaxation of an
known single-linkage clustering algo- NP-hard problem is guaranteed to be
rithm. It computes a minimum span- exact, meaning the original problem
ning tree (where edge weights are the and its relaxation have the same opti-
interpoint distances) and uses dynam- mal solution.
ic programming to optimally remove For example, a canonical prob-
k - 1 edges to define k clusters. To the lem in sparse recovery is compressive
extent that we are comfortable iden- sensing, where the goal is to recover
tifying “instances with a meaningful
clustering” with 2-perturbation-stable k A relaxed and more realistic version of pertur-
bation-stability allows small perturbations to
i Specifically, γ = Ω (√(log
n log log n). make small changes to the optimal solution.
j In general, the optimal solution of a linear or Many of the results mentioned in this section
semidefinite programming relaxation of an can be extended to instances meeting this
NP-hard problem is a “fractional solution” relaxed condition, with a polynomial-time al-
that does not correspond to a feasible solution gorithm guaranteed to recover a solution that
to the original problem. closely resembles the optimal one.5,9,30

92 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

an unknown sparse signal (a vector 50% probability. This is also known erage-case analysis—the solution is
of length n) from a small number m as an Erdös-Renyi random graph with brittle and overly tailored to a specific
of linear measurements of it. Equiva- edge density ½. Second, for a param- distributional assumption. How can
lently, given an m x n measurement eter k ∈ {1, 2, . . . , n}, a subset Q ⊆ V we change the input model to encour-
matrix A with m << n and the mea- of k vertices is chosen uniformly at age the design of algorithms with more
surement results b = Az, the prob- random, and all remaining edges with robust guarantees? Can we find a sweet
lem is to figure out the signal z. both endpoints in Q are added to the spot between average-case and worst-
This problem has several important graph (thus making Q a k-clique). case analysis?
applications, for example in medi- How big does k need to be before Semi-random models. Blum and
cal imaging. If z can be arbitrary, then Q becomes visible to a polynomial- Spencer13 proposed studying semi-
the problem is hopeless: since m < n, time algorithm? The state of the art random models, where nature and
the linear system Ax = b is underde- is a spectral algorithm of Alon et al.,3 an adversary collaborate to produce
termined and has an infinite number which recovers the planted clique Q an input. In many such models, na-
of solutions (of which z is only one). with high probability provided k is at ture first samples an input from a
But many real-world signals are (ap- least a constant times √n. Recent work specific distribution (like the proba-
proximately) k-sparse in a suitable suggests that efficient algorithms can- bilistic planted clique model noted
basis for small k, meaning that (al- not recover Q for significantly smaller here), which is then modified by the
most) all of the mass is concentrated values of k.11 adversary before being presented as
on k coordinates.l The main results in An unsatisfying algorithm. The al- an input to an algorithm. It is impor-
compressive sensing show that, un- gorithm of Alon et al.3 is theoretically tant to restrict the adversary’s power,
der appropriate assumptions on A, interesting and plausibly useful. But if so that it cannot simply throw out
the problem can be solved efficiently we take k to be just a bit bigger, at least nature’s starting point and replace it
even when m is only modestly bigger a constant times √n log n, then there is with a worst-case instance. Feige and
than k (and much smaller than n).15,20 an uninteresting and useless algo- Killian24 suggested studying monotone
One way to prove these results is to rithm that recovers the planted clique adversaries, which can only modify
formulate a linear programming re- with high probability: return the k ver- the input by making the optimal so-
laxation of the (NP-hard) problem of tices with the largest degrees. To see lution “more obviously optimal.” For
computing the sparsest solution to why this algorithm works, think first example, in the semi-random ver-
Ax = b, and then show this relaxation about the sampled Erdös-Renyi ran- sion of the planted clique problem, a
is exact. dom graph, before the clique Q is monotone adversary is only allowed
planted. The expected degree of each to remove edges that are not in the
Planted and Semi-Random Models vertex is ≈ n/2, with standard deviation planted clique Q—it cannot remove
Our next genre of models is also in- ≈√n/2. Textbook large deviation in- edges from Q or add edges outside Q.
spired by the idea that interesting equalities show that, with high proba- Semi-random models with a mono-
instances of a problem should have bility, the degree of every vertex is with- tone adversary may initially seem no
“clearly optimal” solutions, but dif- in ≈√ln n standard deviations of its harder than the planted models that
fers from the stability conditions in as- expectation (Figure 4). Planting a they generalize. But let’s return to the
suming a generative model—a specific clique Q of size a√n log n, for a suffi- planted clique model with k = Ω(√n log n
distribution over inputs. The goal is ciently large constant a, then boosts ), where the “top-k degrees” algorithm
to design an algorithm that, with high the degrees of all of the clique vertices succeeds with high probability when
probability over the assumed input dis- enough that they catapult past the de- there is no adversary. A monotone ad-
tribution, computes an optimal solu- grees of all of the non-clique vertices. versary can easily foil this algorithm in
tion in polynomial time. What went wrong? The same thing the semi-random planted clique mod-
The planted clique problem. In the that often goes wrong with pure av- el, by removing edges between clique
maximum clique problem, the input
is an undirected graph G = (V, E), and Figure 4. Degree distribution of an Erdo″s–Rényi graph with edge density ½, before planting
the k-clique Q. If k = Ω (√
(n
lg n ), then the planted clique will consist of the k vertices with

the goal is to identify the largest subset the highest degrees.
of vertices that are mutually adjacent.
This problem is NP-hard, even to ap-
proximate by any reasonable factor.
Is it easy when there is a particularly
prominent clique to be found?
Jerrum27 suggested the following
generative model: There is a fixed set V
of n vertices. First, each possible edge
(u, v) is included independently with
degrees
l For example, audio signals are typically ap-
proximately sparse in the Fourier basis, im-
ages in the wavelet basis.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 93
review articles

and non-clique vertices to decrease captured by this framework: whatever perturbations, the perturbed instance
the degrees of the former back down problem you would like to solve, there is well-conditioned in the sense that
to ≈ n/2. Thus the semi-random model are inevitable inaccuracies in its for- each step of the simplex method
forces us to develop smarter, more ro- mulation (from measurement error, makes significant progress traversing
bust algorithms.m uncertainty, and so on). the boundary of the shadow.
For the semi-random planted The simplex method. Spielman Local search. A local search algo-
clique model, Feige and Krauth- and Teng38 developed the smoothed rithm for an optimization problem
gamer24 gave a polynomial-time al- analysis framework with the specific maintains a feasible solution, and
gorithm that recovers the clique with goal of proving that bad inputs for the iteratively improves that solution via
high probability provided k = Ω(√n ). simplex method are exceedingly rare. “local moves” for as long as possible,
The spectral algorithm by Alon et al.3 Average case analyses of the simplex terminating with a locally optimal
achieved this guarantee only in the method from the 1980s (for example, solution. Local search heuristics are
standard planted clique model, and Borgwardt14) provide evidence for this ubiquitous in practice, in many differ-
it does not provide any strong guaran- thesis, but smoothed analysis provides ent application domains. Many such
tees for the semi-random model. The more robust support for it. heuristics have an exponential worst-
algorithm of Feige and Krauthgamer24 The perturbation model in Spiel- case running time, despite always ter-
instead uses a semidefinite program- man and Teng38 is: independently for minating quickly in practice (typically
ming relaxation of the problem. Their each entry of the constraint matrix and within a sub-quadratic number of it-
analysis shows that this relaxation is right-hand side of the linear program, erations). Resolving this disparity is
exact with high probability in the stan- add a Gaussian (that is, normal) ran- right in the wheelhouse of smoothed
dard planted clique model (provided k dom variable with mean 0 and stan- analysis. For example, Lloyd’s algo-
= Ω(√n)), and uses the monotonicity dard deviation σ.n The parameter σ rithm for the k-means problem can
properties of optimal mathematical interpolates between worst-case analy- require an exponential number of
programming solutions to argue this sis (when σ = 0) and pure average-case iterations to converge in the worst
exactness cannot be sabotaged by any analysis (as σ → ∞, the perturbation case, but needs only an expected poly-
monotone adversary. drowns out the original linear pro- nomial number of iterations in the
gram). The main result states that the smoothed case (see Arthur et al.7 and
Smoothed Analysis expected running time of the simplex the references therein).o
Smoothed analysis is another example method is polynomial as long as typical Much remains to be done, how-
of a semi-random model, now with perturbations have magnitude at least ever. For a concrete challenge prob-
the order of operations reversed: an an inverse polynomial function of the lem, let’s revisit the maximum cut
adversary goes first and chooses an ar- input size (which is small!). problem. The input is an undirected
bitrary input, which is then perturbed graph G = (V, E) with edge weights,
slightly by nature. Smoothed analysis Theorem 3 (Spielman and Teng38) and the goal is to partition V into two
can be applied to any problem where For every initial linear program, in ex- groups to maximize the total weight
“small perturbations” make sense, pectation over the perturbation to the of the edges with one endpoint in
including most problems with real- program, the running time of the sim- each group. Consider a local search
valued inputs. It can be applied to any plex method is polynomial in the input algorithm that modifies the current
measure of algorithm performance, size and in 1/σ. solution by moving a single vertex
but has proven most effective for run- The running time blow-up as σ → 0 is from one side to the other (known
ning time analyses. necessary because the worst-case run- as the “flip neighborhood”), and per-
Like other semi-random models, ning time of the simplex method is forms such moves as long as they in-
smoothed analysis has the benefit of exponential. Several researchers have crease the sum of the weights of the
potentially escaping worst-case in- devised simpler analyses and better edges crossing the cut. In the worst
puts (especially if they are “isolated”), polynomial running times, most re- case, this local search algorithm can
while avoiding overfitting a solution cently Dadush and Huiberts.17 All of require an exponential number of it-
to a specific distributional assump- these analyses are for a specific pivot erations to converge. What about in
tion. There is also a plausible narra- rule, the “shadow pivot rule.” The idea the smoothed analysis model, where
tive about why real-world inputs are is to project the high-dimensional fea- a small random perturbation is added
sible region of a linear program onto
m The extensively studied “stochastic block a plane (the “shadow”) and run the
model” generalizes the planted clique model simplex method there. The hard part o An orthogonal issue with local search heuris-
(for example, see Moore32), and is another tics is the possibility of outputting a locally
fruitful playground for semi-random models.
of proving Theorem 3 is showing that, optimal solution that is much worse than a
Here, the vertices of a graph are partitioned with high probability over nature’s globally optimal one. Here, the gap between
into groups, and the probability that an edge theory and practice is not as embarrassing—
is present is a function of the groups that con- for many problems, local search algorithms
tain its endpoints. The responsibility of an n This perturbation results in a dense constraint really can produce pretty lousy solutions.
algorithm in this model is to recover the (un- matrix even if the original one was sparse, and For this reason, one generally invokes a local
known) vertex partition. This goal becomes for this reason Theorem 3 is not fully satisfactory. search algorithm many times with different
provably strictly harder in the presence of a Extending this result to sparsity-preserving starting points and returns the best of all of
monotone adversary.31 perturbations is an important open question. the locally optimal solutions found.

94 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 review articles

to each edge’s weight? The natural so often converge quickly to a local op-
conjecture is that local search should timum, or even to a global optimum?q
terminate in a polynomial number of Second, modern neural networks are
iterations, with high probability over typically over-parameterized, mean-
the perturbation. This conjecture has
been proved for graphs with maxi- There are ing that the number of free param-
eters (weights and biases) is consider-
mum degree O(log n)21 and for the
complete graph;4 for general graphs,
compelling ably larger than the size of the training
dataset. Over-parameterized models
the state-of-the-art is a quasi-polyno- parallels between are vulnerable to large generalization
mial-time guarantee (meaning nO(log n)
iterations).22
the recent research error (that is, overfitting), but state-
of- the-art neural networks generalize
More ambitiously, it is tempting on clustering in shockingly well.40 How can we explain
to speculate that for every natural lo-
cal search problem, local search ter-
stable instances this? The answer likely hinges on
special properties of both real-world
minates in a polynomial number of and slightly datasets and the optimization algo-
iterations in the smoothed analysis
model (with high probability). Such a older results in rithms used for neural network train-
ing (principally stochastic gradient
result would be a huge success story for a field of applied descent).r

mathematics
smoothed analysis and beyond worst- Another interesting case study,
case analysis more generally. this time in unsupervised learning,

On Machine Learning
known as sparse concerns topic modeling. The goal
here is to process a large unlabeled
Much of the present and future of recovery, where corpus of documents and produce a
research going beyond worst-case
analysis is motivated by advances in
the goal is to list of meaningful topics and an as-
signment of each document to a mix-
machine learning.p The unreason- reverse engineer ture of topics. One computationally
able effectiveness of modern machine
learning algorithms has thrown down a “sparse” object efficient approach to the problem is
to use a singular value decomposition
the gauntlet to algorithms researchers, from a small subroutine to factor the term-docu-
and there is perhaps no other problem
domain with a more urgent need for number of clues ment matrix into two matrices, one
that describes which words belong to
the beyond worst-case approach.
To illustrate some of the challeng-
around it. which topics, and one indicating the
topic mixture of each document.35
es, consider a canonical supervised This approach can lead to negative
learning problem, where a learning entries in the matrix factors, which
algorithm is given a dataset of object- hinders interpretability. Restricting
label pairs and the goal is to produce the matrix factors to be nonnegative
a classifier that accurately predicts yields a problem that is NP-hard in
the label of as-yet-unseen objects (for the worst case, but Arora et al.6 gave
example, whether or not an image a practical factorization algorithm
contains a cat). Over the past decade, for topic modeling that runs in poly-
aided by massive datasets and compu- nomial time under a reasonable as-
tational power, deep neural networks sumption about the data. Their as-
have achieved impressive levels of sumption states that each topic has
performance across a range of predic- at least one “anchor word,” the pres-
tion tasks.25 Their empirical success ence of which strongly indicates that
flies in the face of conventional wis- the document is at least partly about
dom in multiple ways. First, most neu- that topic (such as the word “Durant”
ral network training algorithms use for the topic “basketball”). Formally
first-order methods (that is, variants articulating this property of data was
of gradient descent) to solve noncon- an essential step in the development
vex optimization problems that had of their algorithm.
been written off as computationally The beyond worst-case viewpoint
intractable. Why do these algorithms can also contribute to machine learning by
“stress-testing” the existing theory

p Arguably, even the overarching goal of research

in beyond worst-case analysis—determining q See Jin et al.28 and the references therein for
the best algorithm for an application-specific recent progress on this question.
special case of a problem—is fundamentally a r See Neyshabur33 and the references therein for
machine learning problem.26 recent developments in this direction.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 95
review articles

and providing a road map for more there remain many unexplained gaps Moitra, A, and Stewart, A. Being robust (in high
dimensions) can be practical. In Proceedings of the
robust guarantees. While work in be- between the theoretical and empiri- 34th International Conference on Machine Learning,
yond worst-case analysis makes strong cal performance of widely used algo- 2017, 999–1008.
20. Donoho, D.L. Compressed sensing. IEEE Trans.
assumptions relative to the norm in rithms. With so many opportunities Information Theory 52, 4 (2006), 1289–1306.
theoretical computer science, these for consequential research, I suspect 21. Elsasser, R. and Tscheuschner, T. Settling the
complexity of local max-cut (almost) completely.
assumptions are usually weaker than the best work in the area is yet to come. In Proceedings of the 38th Annual International
the norm in statistical machine learn- Acknowledgments. I thank San- Colloquium on Automata, Languages, and
Programming, 2011, 171-182.
ing. Research in the latter field often jeev Arora, Ankur Moitra, Aravindan 22. Etscheid, M. and Roglin, H. Smoothed analysis of local
search for the maximum-cut problem. ACM Trans.
resembles average-case analysis, for Vijayaraghavan, and four anonymous Algorithms 13, 2 (2017), Article No. 12.
example when data points are mod- reviewers for several helpful sugges- 23. Fagin, R., Lotem, A. and Naor, M. Optimal aggregation
algorithms for middleware. J. Computer and System
eled as independent and identically tions. This work was supported in Sciences 66, 4 (2003), 614–656.
distributed samples from some (possi- part by NSF award CCF-1524062, a 24. Feige, U. and Kilian, J. Heuristics for semirandom
graph problems. J. Computer and System Sciences 63,
bly parametric) distribution. The semi- Google Faculty Research Award, and a 4 (2001), 639–671.
random models described earlier in Guggenheim Fellowship. This article 25. Goodfellow, I., Bengio, Y. and Courville, A. Deep
Learning. MIT Press, 2016.
this article are role models in blending was written while the author was at 26. Gupta, R. and Roughgarden, T. Application-specific
adversarial and average-case modeling Stanford University. algorithm selection. SIAM J. Computing 46, 3 (2017),
992–1017.
to encourage the design of algorithms 27. Jerrum, M. Large cliques elude the Metropolis
with robustly good performance. Re- References
process. Random Structures and Algorithms 3, 4
(1992), 347–359.
cent progress in computationally effi- 1. Ackerman, M. and Ben-David, S. Clusterability: 28. Jin, C, Ge, R., Netrapalli, P., Kakade, S.M. and Jordan,
A theoretical study. In Proceedings of the 12th M.I. How to escape saddle points efficiently. In
cient robust statistics shares much of International Conference on Artificial Intelligence and Proceedings of the 34th International Conference on
the same spirit.19 Statistics, 2009, 1–8. Machine Learning, 2017, 1724–1732.
2. Albers, S., Favrholdt, L.M. and Giel, O. On paging 29. Kumar, A. and Kannan, R. Clustering with spectral
with locality of reference. J. Computer and System norm and the k-means algorithm. In Proceedings of
Conclusion Sciences 70, 2 (2005), 145–175. the 51st Annual IEEE Symposium on Foundations of
3. Alon, N., Krivelevich, M. and Sudakov, B. Finding a large Computer Science, 2010, 299–308.
With algorithms, silver bullets are few hidden clique in a random graph. Random Structures & 30. Makarychev, K., Makarychev, Y. and Vijayaraghavan, A.
and far between. No one design tech- Algorithms 13, 3-4 (1998), 457–466. Bilu-Linial stable instances of max cut and minimum
4. Angel, O., Bubeck, S., Peres, Y., and Wai, F. Local MAX- multiway cut. In Proceedings of the 25th Annual
nique leads to good algorithms for all CUT in smoothed polynomial time. In Proceedings ACM-SIAM Symposium on Discrete Algorithms, 2014,
computational problems. Nor is any of the 49th Annual ACM Symposium on Theory of 890-906.
Computing, 2017, 429-437. 31. Moitra, A., Perry, W. and Wein, A.S. How robust are
single analysis framework—worst- 5. Angelidakis, H., Makarychev, K., and Makarychev, reconstruction thresholds for community detection?
Y. Algorithms for stable and perturbation-resilient
case analysis or otherwise—suitable problems. In Proceedings of the 49th Annual ACM
In Proceedings of the 48th Annual ACM Symposium on
Theory of Computing, 2016, 828–841.
for all occasions. A typical algorithms Symposium on Theory of Computing, pages 438- 32. Moore, C. The computer science and physics of
451, 2017.
course teaches several paradigms for 6. Arora, S., Ge, R., Halpern, Y. Mimno, D.M., Moitra, A.,
community detection: Landscapes, phase transitions,
and hardness. Bulletin of EATCS 121 (2017), 1–37.
algorithm design, along with guidance Sontag, D., Wu, Y. and Zhu, M. A practical algorithm 33. Neyshabur, B. Implicit Regularization in Deep
for topic modeling with provable guarantees. In
about when to use each of them; the Proceedings of the 30th International Conference on
Learning. Ph.D. thesis, Toyota Technological Institute
at Chicago, 2017.
field of beyond worst-case analysis Machine Learning, 2013, 280–288. 34. Ostrovsky, R., Rabani, Y., Schulman, L.J. and Swamy,
7. Arthur, D., Manthey, B., and Roglin, H. Smoothed C. The effectiveness of Lloyd-type methods for the
holds the promise of a comparably di- analysis of the k-means method. JACM 58, 5 (2011), k-means problem. JACM 59, 6 (2012), Article No. 22.
verse toolbox for algorithm analysis. Article No. 18. 35. Papadimitriou, C.H., Raghgavan, P., Tamaki, H. and
8. Awasthi, P., Blum, A. and Sheffet, O. Center-based Vemapala, S. Latent semantic indexing: A probabilistic
Even at the level of a specific prob- clustering under perturbation stability. Information analysis. J. Computer and System Sciences 61,2
lem, there is generally no magical, Processing Letters 112, 1–2 (2012), 49–54. (2000), 217–235.
9. Balcan, M.-F., Blum, A. and Gupta, A. Clustering under 36. Roughgarden, T. CS264 lecture notes on beyond worst-
always-optimal algorithm—the best approximation stability. JACM 60, 2 (2013), Article No. 8. case analysis. Stanford University, 2009–2017. Available
algorithm for the job depends on the 10. Balcan, M.-F., Haghtalab, N. and White, C. k-center at http://www.timroughgarden.org/notes.html.
clustering under perturbation resilience. In 37. Sleator, D.D. and Tarjan, R.E. Amortized efficiency of
instances of the problem most rel- Proceedings of the 43rd Annual International list update and paging rules. Commun. ACM 28, 2
evant to the specific application. Re- Colloquium on Automata, Languages, and (1985), 202–208.
Programming, 2016, Article No. 68. 38. Spielman, D.A. and Teng, S.-H. Smoothed analysis:
search in beyond worst-case analysis 11. Barak, B., Hopkins, S.B., Kelner, J.A., Kothari, P., Moitra, Why the simplex algorithm usually takes polynomial
A., and Potechin, A. A nearly tight sum-of squares
acknowledges this fact while retaining lower bound for the planted clique problem. In
time. JACM 51, 3 (2004), 385–463.
39. Trevisan, L. Inapproximability of combinatorial
the emphasis on robust guarantees Proceedings of the 57th Annual IEEE Symposium on optimization problems. Paradigms of Combinatorial
Foundations of Computer Science, 2016, 428–437.
that is central to worst-case analysis. 12. Bilu, Y. and Linial, N. Are stable instances easy?
Optimization: Problems and New Approaches. V.T.
Paschos, ed. Wiley, 2014.
The goal of work in this area is to de- Combinatorics, Probability & Computing 21, 5 (2012), 40. Zhang, C., Bengio, S., Hardt, M., Recht, B. and Vinyals,
643–660.
velop novel methods for articulating 13. Blum, A. and Spencer, J.H. Coloring random and
O. Understanding deep learning requires rethinking
generalization. In Proceedings of the 5th International
the relevant instances of a problem, semi-random k-colorable graphs. J. Algorithms 19, 2 Conference on Learning Representations, 2017.
(1995), 204–234.
thereby enabling rigorous explana- 14. Borgwardt, K.H. The Simplex Method: A probabilistic
tions of the empirical performance analysis. Springer-Verlag, 1980.
Tim Roughgarden is a professor in the computer science
15. Candes, E.J., Romberg, J.K., and Tao, T. Robust
of known algorithms, and also guid- uncertainty principles: Exact signal reconstruction
department at Columbia University, New York, NY, USA.

ing the design of new algorithms op- from highly incomplete Fourier information. IEEE
Trans. Information Theory 52, 2 (20006), 489–509. © 2019 ACM 0001-0782/19/3 $15.00.
timized for the instances that matter. 16. Cygan, M., Fomin, F.V., Kowalik, L., Lokshtanov, D.,
With algorithms increasingly dom- Marx, D., Pilipczuk, M., Pilipczuk, M, and Saurabh, S.
Parameterized Algorithms. Springer, 2015.
inating our world, the need to under- 17. Dadush, D. and Huiberts, S. A friendly smoothed
stand when and why they work has analysis of the simplex method. In Proceedings of the
50th Annual ACM Symposium on Theory of Computing, Watch the author discuss
never been greater. The field of be- 2018, 390–403. this work in the exclusive
18. Daniely, A., Linial, N. and M. Saks. Clustering is difficult Communications video.
yond worst-case analysis has already only when it does not matter. arXiv:1205.4891, 2012. https://cacm.acm.org/videos/
produced several striking results, but 19. Diakonikolas, I., Kamath, G., Kane, D.M., Li, J., beyond-worst-case-analysis

96 COMM UNICATIO NS O F THE ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 research highlights
P. 98 P. 99
Technical
Perspective Predicting Program Properties
Borrowing Big from ‘Big Code’
Code to Automate By Veselin Raychev, Martin Vechev, and Andreas Krause
Programming
Activities
By Martin C. Rinard

P. 108 P. 109
Technical
Perspective A Deterministic Parallel
Isolating a Matching Algorithm for Bipartite
When Your Coins
Go Missing Perfect Matching
By Nisheeth K. Vishnoi By Stephen Fenner, Rohit Gurjar, and Thomas Thierauf

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 97
research highlights
DOI:10.1145/ 33 0 6 2 0 6

Technical Perspective
To view the accompanying paper,
visit doi.acm.org/10.1145/3306204 rh

Borrowing Big Code to Automate

Programming Activities
By Martin C. Rinard

B I G D A T A C O M B I N E D with machine These results demonstrate how this statements and expressions. Features
learning has revolutionized fields approach can help JavaScript program- exposed in this program representa-
such as computer vision, robotics, and mers produce more easily readable tion enable the immediate applica-
natural language processing. In these and understandable programs. One tion of conditional random fields,
fields, automated techniques that de- potential longer-range consequence a standard technique in machine
tect and exploit complex patterns hid- could be the gradual emergence of a learning for structured prediction
den within large datasets have repeat- de facto standard for aspects of JavaS- previously shown to be effective for
edly outperformed techniques based cript programs such as variable names solving problems in areas such as
on human insight and intuition. and the relationship between program natural language processing and
But despite the availability of enor- structure and types. More broadly, the computer vision, to solve the learn-
mous amounts of code (big code) results also highlight the substantial ing and prediction problem. The
that could, in theory, be leveraged redundancy present in JavaScript code development of a new approximate
to deliver similar advances for soft- worldwide and raise questions about MAP inference algorithm for this
ware, programming has proved to be just how much human effort is really domain enables the performance
remarkably resistant to this kind of required to produce this code. required for interactive use when
automation. Much programming to- Why was this research so success- working with thousands of labels per
day consists of developers deploying ful? First, the authors chose a problem node (in contrast to many previous
keyword searches against online in- that was a good fit for machine learning applications, which only work with
formation aggregators such as Stack over big code. Current machine learn- tens of labels per node).
Overflow to find, then manually adapt, ing techniques do not provide correct What can we expect to see in the
code sequences that implement de- results; they instead only provide re- future from this line of research? The
sired behaviors. sults that look like previous results in most obvious next steps include a va-
The following paper presents new the training set. A variable name or riety of automated programming as-
techniques for leveraging big code to type annotation predictor does not sistants for tasks such as code search,
automate two programming activities: have to always be correct; it only needs code completion, and automatic patch
selecting understandable names for to be correct enough of the time to be generation. Here the assistant would
JavaScript identifiers and generating useful. And JavaScript programs share interact with the programmer to
type annotations for JavaScript vari- enough variable name and type anno- guide the process of turning vague,
ables. The basic approach leverages tation patterns to support a reasonably uncertain, or underspecified goals
large JavaScript code bases to build accurate model. into partially or fully realized code,
a probabilistic model that predicts A second reason is technical, spe- with programmer supervision re-
names and type annotations given the cifically the development of a program quired to complete and/or ensure the
surrounding context (which includes representation that exposes relevant correctness of the resulting code.
constants, JavaScript API calls, and relationships between variables and It is less clear how to make prog-
variable uses in JavaScript expressions the surrounding context, including ress on programming tasks with more
and statements). how variables are used in JavaScript demanding correctness, autonomy,
When run on programs with the or novelty requirements. One critical
original variable names obfuscated, step may be finding productive ways
the implemented system was able to Why was this research to integrate probabilistic reasoning
recover the original variable names with more traditional logical reason-
over 60% of the time. The results for so successful? First, ing as applied to computer programs.
type annotations are even more in- the authors chose a Future research, potentially inspired
triguing—the implemented system in part by the results presented in this
generates correct type annotations for problem that was a paper, will determine the feasibility
over half of the benchmark programs. good fit for machine of this goal.
For comparison, the programmer-pro-
vided annotations are correct for only learning over big code. Martin C. Rinard is a professor in the Department of
Electrical Engineering and Computer Science at the
a bit over a quarter of these programs. Massachusetts Institute of Technology, Cambridge, MA,
The system is accessible via the In- USA, and a member of the Computer Science and Artificial
Intelligence Laboratory.
ternet at jsnice.org with hundreds of
thousands of users. Copyright held by author.

98 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 DOI:10.1145/3 3 0 6 2 0 4

Predicting Program Properties

from ‘Big Code’
By Veselin Raychev, Martin Vechev, and Andreas Krause

Abstract Figure 1. Structured prediction for programs.

We present a new approach for predicting program proper-
ties from large codebases (aka “Big Code”). Our approach
learns a probabilistic model from “Big Code” and uses this Input Dependency network Predicted properties Output
model to predict properties of new, unseen programs. program relating unknown program
with known properties
The key idea of our work is to transform the program into
a representation that allows us to formulate the problem of
inferring program properties as structured prediction in
machine learning. This enables us to leverage powerful Training data Learned CRF model
Learning
probabilistic models such as Conditional Random Fields
(CRFs) and perform joint prediction of program properties.
As an example of our approach, we built a scalable predic-
tion engine called JSNice for solving two kinds of tasks in reach of traditional techniques. However, effectively learn-
the context of JavaScript: predicting (syntactic) names of ing from programs is a challenge. One reason is that pro-
identifiers and predicting (semantic) type annotations of grams are data transformers with complex semantics that
variables. Experimentally, JSNice predicts correct names should be captured and preserved in the learned probabilis-
for 63% of name identifiers and its type annotation predic- tic model.
tions are correct in 81% of cases. Since its public release at
http://jsnice.org, JSNice has become a popular system with 1.1. Structured prediction for programs
hundreds of thousands of uses. The core technical insight of our work is transforming the
By formulating the problem of inferring program input program into a representation that enables us to for-
­properties as structured prediction, our work opens up the mulate the problem of predicting program properties as
possibility for a range of new “Big Code” applications such structured prediction with Conditional Random Fields
as de-obfuscators, decompilers, invariant generators, and (CRFs).15 Indeed, CRFs are a powerful probabilistic model
others. successfully used in a wide variety of applications including
computer vision and natural language processing.12, 15, 16 We
show how to instantiate this approach towards predicting
1. INTRODUCTION semantic information (e.g., type annotations) as well as syn-
Recent years have seen significant progress in the area of tactic facts (e.g., identifier names). To our knowledge, this is
programming languages driven by advances in type systems, the first work which shows how CRFs can be learned and
constraint solving, program analysis, and synthesis tech- used in the context of programs. By connecting programs to
niques. Fundamentally, these methods reason about each CRFs, a wide range of learning and inference algorithms14
program in isolation and while powerful, the effectiveness of can be used in the domain of programs.
programming tools based on these techniques is approach- Figure 1 illustrates the structured prediction approach.
ing its inherent limits. Thus, a more disruptive change is In the prediction phase (upper part of figure), we are given
needed if a significant improvement is to take place. an input program for which we are to infer properties of
At the same time, creating probabilistic models from interest. In the next step, we convert the program into a rep-
large datasets (also called “Big Data”) has transformed a resentation called dependency network. The dependency
number of areas such as natural language processing, com- network captures relationships between program elements
puter vision, recommendation systems, and many others. whose properties are to be predicted with elements whose
However, despite the overwhelming success of “Big Data” in properties are known. Once the network is obtained, we per-
a variety of application domains, learning from large datas- form structured prediction and in particular, a query
ets of programs has previously not had tangible impact on referred to as Maximum a Posteriori (MAP) inference.14 This
programming tools. Yet, with the tremendous growth of query makes a joint prediction for all elements together by
publicly available source code in repositories such as optimizing a scoring function based on the learned CRF
GitHub4 and BitBucket2 (referred to as “Big Code” by a recent model. Making a joint prediction which takes into account
DARPA initiative11) comes the opportunity to create new structure and dependence is particularly important as
kinds of programming tools based on probabilistic models
of such data. The vision is that by leveraging the massive
The original version of this paper was published in ACM
effort already spent in developing millions of programs,
POPL’2015.
such tools will have the ability to solve tasks beyond the

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 99
research highlights

properties of different elements are often related. A useful fragments. The average JavaScript program size is 91.7 KB.
analogy is the ability to make joint predictions in image pro-
cessing where the prediction of a pixel label is influenced by 1.3. Nice2Predict: Structured prediction framework
the predictions of neighboring pixels. To facilitate faster creation of new applications (JSNice
being one example), we built a reusable framework called
1.2. JSNice: Name and type inference for JavaScript Nice2Predict (found at http://nice2predict.org) which includes
As an example of this approach, we built a system which all components of this work (e.g., training and inference)
addresses two important challenges in JavaScript: predicting except the definition of feature functions (which are applica-
(syntactic) identifier names and (semantic) type annotations tion specific). Then, to use our method one only needs
of variables. Such predictions have applications in software to phrase their application in terms of a CRF model which
engineering (e.g., refactoring to improve code readability), is done by defining suitable feature functions (we show
program analysis (e.g., type inference) and security (e.g., such functions for JSNice later in the paper) and then
deobfuscation). We focused on JavaScript for three reasons. invoke the Nice2Predict training and inference mechanisms.
First, in terms of type inference, recent years have seen A recent example of this instantiation is DeGuard 9
extensions of JavaScript that add type annotations such as (http://apk-deguard.com), a system that performs Android
the Google Closure Compiler5 and TypeScript.7 However, layout de-obfuscation by predicting method, class, and field
these extensions rely on traditional type inference, which names erased by ProGuard.6
does not scale to realistic programs that make use of
dynamic evaluation and complex libraries (e.g., jQuery).13 2. OVERVIEW
Our work predicts likely type annotations for real world pro- We now provide an informal description of our probabilis-
grams which can then be provided to the programmer or to tic approach on a running example. Consider the JavaScript
a standard type checker. Second, much of JavaScript code program shown in Figure 4(a). This is a program which has
found on the Web is obfuscated, making it difficult to under- short, non-descriptive identifier names. Such names can be
stand what the program is doing. Our approach recovers produced by both a novice inexperienced programmer or by
likely identifier names, thereby making much of the code on an automated process known as minification (a form of lay-
the Web readable again. This is enabled by a large and well- out obfuscation) which replaces identifier names with
annotated corpus of JavaScript programs available in open shorter names. In the case of client-side JavaScript, minifi-
source repositories such as GitHub. cation is a common process on the Web and is used to
Since its release, JSNice has become a widely used system reduce the size of the code being transferred over the net-
with users ranging from JavaScript developers to security spe- work and/or to prevent users from understanding what the
cialists. In a period of a year, our users deobfuscated over 9 GB program is actually doing. In addition to obscure names,
(87.7 mn lines of code) of unique (non-duplicate) JavaScript variables in this program also lack annotated type informa-
programs. Figure 3 shows a histogram of the size of these pro- tion. It can be difficult to understand that this obfuscated
grams, indicating that users often query it with large code program happens to partition an input string into chunks
of given sizes, storing those chunks into consecutive entries
Figure 2. A screenshot of http://jsnice.org/: minified code (left), of an array.
deobfuscated version (right). Given the program in Figure 4(a), JSNice automatically
produces the program in Figure 4(e). The output program
has new identifier names and is annotated with predicted
types for the parameters, local variables, and return state-
ment. Overall, it is easier to understand what that program
does when compared to the original. We now provide an
overview of the prediction recipe that performs this transfor-
mation. We focus on predicting names (reversing minifica-
tion), but the process for predicting types is identical.

2.1. Step 1: Determine known and unknown properties

Given the program in Figure 4(a), we use a simple static
(scope) analysis which determines the set of program ele-
ments for which we would like to infer properties. These
Figure 3. Histogram of query sizes to http://jsnice.org/ sent by users
in the period May 10, 2015–May 10, 2016. are elements whose properties are unknown in the input
(i.e., are affected by minification). When predicting names,
Number of queries

15.0K
this set consists of all local variables and function param-
12.0K
9.0K eters of the input program: e, t, n, r, and i. We also deter-
6.0K mine the set of elements whose properties are known (not
3.0K
0 affected by minification). These include field and method
names (e.g., the field element with name length). Both
0

4
10

5
46
1

22
2
5

21 K

2K
K

46 K
10 K

M
0K

K
6K

0M

6M
2K

2M
10

46
21

0
.0

4
.4
.5

.0
0.

4.
5.
1.

4.
2.

10

1.

4.
46
21

2.

10

Size of the JavaScript programs given by our users (in bytes) kinds of elements are shown in Figure 4(b). The goal is to
predict the unknown properties based on: (i) the obtained

100 CO MM UNICATIO NS O F T H E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

Figure 4. Probabilistic inference of program properties on an example.
/* str : string , step : number , return : Array */
function chunkData (e , t ) {
function chunkData ( str , step ) {
var n = [];
var colNames = []; /* colNames : Array */
var r = e . length ;
var len = str . length ;
var i = 0;
var i = 0; /* i : number */
for (; i < r ; i += t ) {
for (; i < len ; i += step ) {
if ( i + t < r ) {
if ( i + step < len ) {
n . push ( e . substring (i , i + t ));
colNames . push ( str . substring (i , i + step ));
} else {
} else {
n . push ( e . substring (i , r ));
colNames . push ( str . substring (i , len ));
}
}
}
}
return n ;
return colNames ;
} }

(a) JavaScript program with minified identifier names. (e) JavaScript program with new identifier names and types.

L R Score
Unknown properties (variable names): i step 0.5
e t n r i t j j 0.4 t
? ? ? ? ? ? i j 0.1 step
L+=R u q 0.01
i i
? length i length
Known properties (constants, APIs):
L<R r L=_.R L R Score r L R Score
0 [] length push ... ? len
i len 0.8 length length 0.5
i length 0.6 len length 0.4

(b) Known and unknown name properties. (c) Dependency network. (d) Result of MAP inference.

known properties and (ii) the relationship between inference.14 Informally, in this type of query, a prediction
­elements (discussed here). leverages the structure of the network (i.e., the connections
between the nodes) as opposed to predicting separately
2.2. Step 2: Build dependency network each node at a time. As illustrated in Figure 4(d), for the
Next, using features we later define, we build a dependency network of Figure 4(c), our system infers the new names
network capturing relationships between program ele- step and len. It also predicts that the previous name i
ments. The dependency network is key to capturing struc- was most likely. Let us consider how we predicted the
ture when performing predictions and intuitively determines names step and len. The network in Figure 4(d) is the
how properties to be predicted influence each other. For same one as in Figure 4(c) but with additional tables pro-
example, the link between known and unknown properties duced as an output of the learning phase (i.e., the learning
allows us to leverage the fact that many programs use com- determines the concrete feature functions and the weights
mon anchors (e.g., JQuery API) meaning that the unknown associated with them). Each table is a function that scores
quantities we aim to predict are influenced by how known the assignment of properties when connected by the cor-
elements are used. Dependencies are triplets of the form responding edge (intuitively, how likely the particular pair
〈n,m,rel〉 where, n, m are program elements, and rel is the is). Consider the topmost table in Figure 4(d). The first row
particular relationship between the two elements. In our says the assignment of i and step is scored with 0.5. The
work all dependencies are triplets, but these can be extended MAP inference searches for assignment of properties to
to relationships involving more than two elements. nodes such that the sum of the scores shown in the tables is
In Figure 4(c), we show three example dependencies maximized. For the two nodes i and t, the inference ends up
between the program elements. For instance, the statement selecting the highest score from that table (i.e., the values i
i += t generates a dependency 〈i,t,L+=R〉, because i and and step). Similarly for nodes i and r. However, for nodes
t are on the left and right side of a+= expression. Similarly, r and length, the inference does not select the topmost row
the statement var r = e.length generates several but the values from the second row. The reason is that if it
dependencies including 〈r,length,L=_.R〉 which desig- had selected the topmost row, then the only viable choice (in
nates that the left part of the relationship, denoted by L, order to match the value length) for the remaining rela-
appears before the de-reference of the right side denoted by R tionship is the second row of i, r table (with value 0.6).
(we elaborate on the different types of relationships in Section However, the assignment 0.6 leads to a lower combined
4). For clarity, in Figure 4(c) we include only some of the overall score. That is, MAP inference must take into account
relationships. the global structure and cannot simply select the maximal
score of each function.
2.3. Step 3: MAP inference To achieve good performance for the MAP inference, we
After obtaining the dependency network, we next infer the developed a new algorithmic variant which targets the domain
most likely values for the nodes via a query known as MAP of programs (existing inference algorithms cannot efficiently

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 101

research highlights

deal with the combination of unrestricted network structure from the set of properties LabelsK which could potentially
and a large number of possible predictions per element). differ from the set of properties LabelsU that we use for
prediction. For example, if the known properties are inte-
2.4. Output program ger constants, LabelsK will contain all valid integers. To
Finally, after the new names are inferred, our system trans- avoid clutter when x is clear from the context, we use z
forms the original program to use these names. The out- instead of zx. We use Labels = LabelsU ∪ LabelsK to denote
put of the entire inference process is captured in the the set of all properties.
program shown in Figure 4(e). Notice how in this output Note that to apply this method the total number of pre-
program, the names tend to accurately capture what the dictions must be fixed (bounded) in advance (i.e., n(x) ). This
program does. is unlike other settings, for example, grammars,10 where the
number of predictions can be unbounded.
2.5. Predicting type annotations
Even though we illustrated the inference process for vari- 3.2. Problem definition
able names, the overall flow for predicting type annota- Let denote the training data: a set of t pro-
tions is identical. Interestingly, after predicting types, grams each annotated with corresponding properties. Our
one can invoke a standard type checker to check whether goal is to learn a model that captures the conditional prob-
the predicted types are valid for the program. For our ability Pr(y | x). Once the model is learned, we can predict
example in Figure 4(e), the predicted type annotations properties of new programs by posing the following MAP
(shown in comments) are indeed valid. In general, when query:
predicting semantic properties (such as types) where
soundness plays a role, our approach can be used as part
of a guess-and-check loop.
That is, we aim to find the most likely assignment of
2.6. Independent of minification program properties y according to the probabilistic
We note that our name inference process is independent of model. Here, Ωx ⊆ Y describes the set of possible assign-
what the minified names are. In particular, the process will ments of properties y′ to program elements of x. The set
return the same names regardless of which minifier was Ωx allows restricting the set of possible properties and is
used to obfuscate the original program (provided these min- useful for encoding problem-specific constraints. For
ifiers always rename the same set of variables). example, in type annotation inference, the set Ωx may
restrict the annotations to types that make the resulting
3. STRUCTURED PREDICTION program typecheck.
We now introduce the structured prediction approach. We
later instantiate this approach in Section 4. 3.3. Conditional random fields (CRFs)
We now briefly describe CRFs, a particular model defined in
3.1. Notation: programs, labels, predictions Lafferty et al.15 and previously used for a range of tasks such
Let x ∈ X be a program. As with standard program analysis, as natural language processing, image classification, and
we will infer properties about program statements or others. CRFs represent the conditional probability Pr(y | x).
expressions (referred to as program elements). For a pro- We consider the case where the factors are positive in which
gram x, each element (e.g., a variable) is identified with case, without loss of generality, any conditional probability
an index (a natural number). We usually separate the ele- of properties y given a program x can be encoded as follows:
ments into two kinds: (i) elements for which we are inter-
ested in inferring properties and (ii) elements whose
properties we know (e.g., obtained via say standard pro-
gram analysis or manual annotation). We use two helper where, score is a function that returns a real number indicat-
functions n, m: X → N to return the appropriate number of ing the score of an assignment of properties y for a program
program elements for a given program x: n(x) returns the x. Assignments with higher score are more likely than
number of elements of kind (i) and m(x) the number of ele- assignments with lower score. Z(x), called the partition func-
ments of kind (ii). When x is clear from the context, we tion, ensures that the above expression does in fact encode a
write n instead of n(x) and m instead of m(x). conditional distribution. It returns a real number depend-
We use the set LabelsU to denote all possible values that a ing only on the program x, that is:
predicted property can take. For instance, in type predic-
tion, LabelsU contains all possible basic types (e.g., number,
string, etc). Then, for a program x, we use the notation
y = (y1, …, yn(x)) to denote a vector of predicted program proper- W.l.o.g, score can be expressed as a composition of a sum of
ties. Here, y ∈ Y where Y = (LabelsU)*. That is, each entry yi in k feature functions fi associated with weights wi:
vector y ranges over LabelsU and denotes that program ele-
ment i has property yi.
For a program x, we define the vector to
capture known properties. Here, each can take a value Here, f is a vector of functions fi and w is a vector of weights

102 COMM UNICATIO NS O F T H E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

wi. The feature functions fi: Y × X → R; are used to score
assignments of program properties. This representation of
score functions is well-suited for learning (as the weights w As arg max is independent of Z(x), we obtain an equivalent
can be learned from data). simplified query:

3.4. Features as constraints

Feature functions are key to controlling the likelihood pre-
dictions. For instance, a feature function can be defined to In theory, one can use any of the available inference
prohibit or lower the score of an undesirable prediction: say ­ lgorithms to solve for the above query (exact inference is in
a
if fi(yB, x) = −H where H is a very large positive number, then fi general an NP-hard MaxSAT problem). In this work, we
(with weight wi > 0) essentially disables an assignment yB as designed a fast and approximate greedy MAP inference algo-
Pr(yB | x) will approach 0. rithm tailored to our setting of programs: pairwise feature
functions, unrestricted nature of Gx and the a large set of
3.5. General prediction approach possible assignments. Our algorithm changes the labels of
Let us first define the kind of relations between program each node one-by-one or in pairs until the assignment score
elements we use when making predictions. Let the set of cannot be improved further.
possible relations be Rels. An example relation we consid-
ered in our running example was L+=R. It relates vari- 3.9. Learning
ables i and t in Figure 4(c) and arises due to the expression The goal of the training phase (lower part of Figure 1) is to
i+=t in the code. Examples of other relations are found learn the weights w used in the score function from a large
in Section 4. training set of programs. These weights cannot be obtained
by means of counting in the training data.14 [Section 20.3.1].
3.6. Pairwise indicator feature functions Instead, we use a learning technique from online support
Let be a set of pairwise feature functions where each vector machines: given a training dataset
ψi: Labels × Labels × Rels → R scores a pair of properties when of t samples, the goal is to find w such that the given assign-
related with a relation from Rels. For example: ments y(j) are the highest scoring assignments in as many
training samples as possible subject to additional margin
learning constraints. The learning procedure is described in
Ratliff et al.17
In general, any feature function can be used, but our work
shows that these pairwise functions are sufficient for making 4. PREDICTING NAMES AND TYPES
high-quality predictions of names and types. Next, we go over In this section we present the JSNice system for prediting:
the steps of the prediction procedure more formally. (i) names of local variables and (ii) type annotations of func-
tion arguments. We investigate the above challenges in the
3.7. Step 1: Build dependency network context of JavaScript, a popular language where addressing
We begin by building the network Gx = 〈Vx, Ex〉 for a pro- the above two questions is of significant importance. We do
gram x, capturing dependencies between predictions. note however that much of the machinery discussed in this
Here, consists of elements (e.g., variables) for section applies as-is to other programming languages.
which we would like to predict properties and ele-
ments whose properties we already know . The set of 4.1. JavaScript identifier name prediction
edges E x ⊆ V x × V x × Rels denotes the fact that there is a The goal of our name prediction task is to predict the (most
relationship between two program elements and likely) names of local variables in a given program x. We pro-
describes what that relationships is. This definition of ceed as follows. First, we define to range over all con-
network is also called a multi-graph because there is no stants, objects properties, methods, and global variables of
restriction on having only a single edge between a pair of x. Each element in can be assigned values from the set
nodes – our definition permits multiple dependencies LabelsK = JSConsts ∪ JSNames, where JSNames is a set of all
with different Rels. valid identifier names and JSConsts is a set of possible con-
We define the feature functions f(y, x) over the graph Gx as stants. We note that object property names and Application
follows. Let (y, zx) be a concatenation of the unknown prop- Programming Interface (API) names are modeled as con-
erties y and the known properties zx in x. Then, fi is defined stants, as the dot (.) operator takes an object on the left-hand
as the sum of the applications of its corresponding ψi over side and a string constant on the right-hand side. We define
the set of all network edges in Gx: the set to contain all local variables of x. Here, a variable
name belonging to two different scopes leads to two pro-
gram elements in . Finally, LabelsU ranges over JSNames.
To ensure the newly predicted names preserve program
semantics, we ensure the following additional constraints
3.8. Step 2: MAP inference hold: (i) all references to a renamed local variable must be
Recall that the key query we perform is MAP inference. That renamed to the same name. This is enforced by how we
is, given a program x, find a prediction y such that: define (each element corresponds to a local variable as

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 103

research highlights

opposed to one element per variable occurrence), (ii) the predictions.

predicted identifier names must not be reserved keywords. For JSTypes = {?} ∪ L the set L of types can be instantiated
This is enforced by ensuring that LabelsU does not contain in various ways. In this work we define L = P(T) where 〈T, 〉 is a
keywords, and (iii) the prediction must not suggest the same complete lattice of types with T and  as defined in Figure 5.
name for two different variables in the same scope. This is In the figure we use “…” to denote a potentially infinite num-
enforced by prohibiting assignments of labels with conflict- ber of user-defined object types. Note that L allows that a vari-
ing names. able can be of a union type {string, number} which for
convenience can also be written as string ∨ number.
4.2. JavaScript type annotation prediction
Our second application involves probabilistic type annota- 4.4. Relating program elements
tion inference of function parameters. These annotations The relationships between program elements that we intro-
are particularly challenging to derive via standard program duce define how to build the set of edges Ex of a program x.
analysis techniques because such a derivation would require Since the elements for both prediction tasks are similar, so
finding all possible callers of a function. Instead, we lever- are the relationships. If a relationship is specific to a particu-
age existing manually (type) annotated JavaScript programs. lar task, we explicitly state so in its description.
In JSNice we use JSDoc1 annotated code for training data. Relating expressions. The first relationship we discuss is
The simplified language over which we predict type anno- syntactic in nature: it relates two program elements based on
tations is defined as follows: the program’s Abstract Syntax Tree (AST). Let us consider the
expression i+j<k. First, we build the AST of the expression
as shown in Figure 6 (a). Suppose we are interested in per-
forming name prediction for variables i, j, and k,
represented with indices 1, 2, and 3 respectively, that is,
Here, n ranges over constants (n ∈ JSConsts), var is a meta- . Then, we build the dependency network as
variable ranging over the program variables, ∗ ranges over shown in Figure 6(b) to indicate the prediction for the three
binary operators (+, −, *, /, ., <, ==, ===, etc.), and τ ranges elements are dependent on one another (with the particular
over all possible variable types. That is, τ = {?} ∪ L where L is relationship shown over the edge). For example, the edge
a set of types (we discuss how to instantiate L below) and ? between 1 and 2 represents the relationship that these
denotes the unknown type. To be explicit, we use the set nodes participate in an expression L+R where L is a node for
JSTypes where JSTypes = τ. We use the function []x : ex → 1 and R is a node for 2.
JSTypes to obtain the type of an expression in a program x. Relationships are defined using the following grammar:
This map can be manually provided or built via program
analysis. When the program x is clear from the context we
use [e] as a shortcut for []x(e).

4.3. Defining known and unknown program elements

Figure 5. The lattice of types over which prediction occurs.
We define the set of unknown program elements as follows:
- Any type
⊥

Other objects:
That is, contains variables whose type is unknown. In e.g. RegExp,
string number boolean Function Array . . .
principle, we can differentiate between the type  and the Element,
unknown type ? in order to allow for finer control over which Event, etc.
types we would like to predict. However, since standard type
inference cannot predict types of function parameters, we ⊥ - No type
annotate all non-annotated parameters with type ?.
Next, we define the set of known elements . Note that
can contain any expression, not just variables like :
Figure 6. (a) The AST of expression i + j < k and two dependency
networks built from the AST relations: (b) for name, and (c) for type
predictions.

L+R
< [i] [j]
That is, contains both, expressions whose types are 1 2
known as well as constants. We do not restrict the set of possi- L+R j L+_<R _+L<R
i
ble assignments Ωx, that is, Ωx = (JSTypes)n (recall that n is a + k [k]
function which returns the number of elements whose prop- L+_<R _+L<R
3 L<R
erty is to be predicted). This means that we rely entirely on the i j [i+j]
k
learning to discover the rules that will produce non-­
contradicting types. The only restriction (discussed here) that (a) (b) (c)
we apply is ­ constraining JSTypes when performing

104 COMM UNICATIO NS O F T H E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 All relationships relast are part of Rels, that is, relast ∈ Rels. As from GitHub.4 For evaluation, we took the 50 JavaScript proj-
discussed earlier,  ranges over binary operators. All relation- ects with the highest number of commits from BitBucket.2 By
ships derived using the above grammar have exactly one occur- taking projects from different repositories, we decrease the
rence of L and R. For a relationship r ∈ relast, let r[x/L, y/R, e/_] likelihood of overlap between training and evaluation data.
denote the expression where x is substituted for L, y is sub- We also searched in GitHub to check that the projects in
stituted for R and the expression e is substituted for _. Then, the evaluation data are not included in the training data.
given two program elements a and b and a relationship r ∈ relast, Finally, we implemented a simple checker to detect and fil-
a match is said to exist if r[a/L, b/R, [expr]/_] ∩ Exp(x) ≠ ⁄. Here, ter out minified and obfuscated files from the training and
[expr] denotes all possible expressions in the programming the evaluation data. After filtering minified files, we ended
language and Exp(x) is all expressions of program x. An edge up with training data consisting of 324,501 files and evalua-
(a, b, r) ∈ Ex between two program elements a and b exists if tion data of 2,710 files.
there exists a match between a, b, and r.
Note that for a given pair of elements a and b there could 5.2. Precision
be more than one relationship which matches, that is, both To evaluate the precision of JSNice, we first minified all
r1, r2 ∈ relast match where r1 ≠ r2 (therefore, there could be 2,710 files in the training data with UglifyJS8 (other sound
multiple edges between a and b with different minifiers should produce input that is equivalent for the
relationships). purposes of using JSNice). As mentioned, we focus on a par-
The relationships described above are useful for both name ticular popular form of obfuscation called layout obfusca-
and type inference. For names, the expressions being related tion. It works by renaming local variables to meaningless
are variables, while for types, they need not be restricted to short names and removing whitespaces and type annota-
variables. For example, in Figure 6(c) there is a relationship tions (other types of obfuscation such as encryption are not
between the types of k and i+j via L<R. Note that our rules considered in this work). Each minified program is semanti-
do not directly capture relationships between [i] and [i+j], cally equivalent (except when using with or eval) to the
but they are transitively dependent. Still, many important original. Then, we used JSNice on the minified programs to
relationships for type inference are present. For instance, in evaluate its capabilities in reconstructing name and type
classic type inference, the relationship L=R implies a con- information. We compared the precision of the following
straint rule [L]  [R] where  is the supertype relationship configurations:
(indicated in Figure 5). Interestingly, our inference model can
learn such rules instead of providing them manually. • The most powerful system works with all of the training
Other relations. We introduce three other types of semantic data and performs structured prediction as described
relations: (i) a relationship capturing aliasing between expres- so far.
sions, (ii) a function calling relationship capturing whether a • Two systems using a fraction of the training data — one
function (represented by a variable) may call another function on 10% and one on 1% of the files.
(also represented by a variable), and (iii) an object access rela- • To evaluate the effect of structure when making predic-
tionship specifying whether an object field (represented by a tions, we disabled relationships between unknown
string constant) may be accessed by a function. The last two properties and performed predictions on that network
relationships are only used in name prediction and are particu- (the training phase still uses structure).
larly effective when predicting function names. •  A naïve baseline which does no prediction: it keeps
names the same and sets all types to the most common
5. IMPLEMENTATION AND EVALUATION type string.
We implemented our approach in an interactive system,
called JSNice, which targets name and type predictions for Name predictions. To evaluate the accuracy of name pre-
JavaScript. JSNice modifies the Google Closure Compiler.5 dictions, we took each of the minified programs and used
In standard operation, this compiler takes human-readable the name inference in JSNice to rename its local variables.
JavaScript with optional type annotations, type-checks it Then, we compared the new names to the original names
and returns an optimized, minified, and human-unreadable (before obfuscation) for each of the tested programs. The
JavaScript with stripped annotations. results for the name reconstruction are summarized in the
In our system, we added a new mode to the compiler that
reverses its standard operation: given an optimized minified
JavaScript code, JSNice generates JavaScript code that is Table 1. Precision and recall for name and type reconstruction of
well annotated (with types) and as human-readable as pos- minified JavaScript programs evaluated on our test set.
sible (with useful identifier names). Our two applications for Names Types Types
names and types were implemented as two probabilistic System accuracy (%) precision (%) recall (%)
models that can be invoked separately. all training data 63.4 81.6 66.9
10% of training data 54.5 81.4 64.8
5.1. Our dataset 1% of training data 41.2 77.9 62.8
To evaluate our approach, we collected two disjoint sets of all data, no structure 54.1 84.0 56.0
baseline – no predictions 25.3 37.8 100
JavaScript programs to form our training and evaluation
data. For training, we downloaded 10,517 JavaScript projects

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 105

research highlights

second column of Table 1. Overall, our best system exactly Figure 7. Evaluation results for the number of type-checking
recovers 63.4% of identifier names. The systems trained on programs with manually provided types and with predicted types.
less data have significantly lower precision showing the
Input programs JSNICE Output programs
importance of training data size.
Not using structured prediction also drops the accuracy 107 typecheck 86 programs
significantly and has about the same effect as an order of 141 programs 227 typecheck
magnitude less data. Finally, not changing any identifier fixed
names produces accuracy of 25.3% — this is because minify- 289 with type error
21 programs
ing the code may not rename some variables (e.g., global 148 programs 169 with type error
variables) in order to guarantee semantic preserving trans-
formations and occasionally one-letter local variable names
stay the same (e.g., induction variable of a loop).
Type annotation predictions. Out of the 2,710 test programs, has 3,505 type annotations for function parameters in 396
396 have type annotations for functions in a JSDoc. For these programs. After removing these annotations and recon-
396, we took the minified version with no type annotations and structing them with JSNice, the number of annotations that
tried to rediscover all types in the function signatures. We first are not ? increased to 4,114 for the same programs. The rea-
ran the Closure compiler type inference, which produces no son JSNice produces more types than originally present
types for the function parameters. Then, we ran and evaluated despite having 66.3% recall is that not all functions in the
JSNice on inferring these function parameter types. original programs had manually provided types.
JSNice does not always produce a type for each function Interestingly, despite annotating more functions than
parameter. For example, if a function has an empty body, or a the original code, the output of JSNice has fewer type
parameter is not used, we often cannot relate the parameter errors. We summarize these findings in Figure 7. For each
to any known program properties and as a result, no predic- of the 396 programs, we ran the typechecking pass of
tion can be made and the unknown type (?) is returned. To Google’s Closure Compiler to discover type errors. Among
take this effect into account, we report both recall and preci- others, this pass checks for incompatible types, calling
sion. Recall is the percentage of function parameters in the into a non-function, conflicting, missing types, and non-
evaluation for which JSNice made a prediction other than ?. existent properties on objects. For our evaluation, we kept
Precision refers to the percentage of cases — among the ones all checks except the non-existent property check, which
for which JSNice made a prediction — where it was exactly fails on almost all (even valid) programs, because it depends
equal to the manually provided JSDoc annotation of the test on annotating all properties of JavaScript classes — annota-
programs. We note that the manual annotations are not tions that almost no program in training or evaluation
always precise, and as a result 100% precision is not necessar- data possesses.
ily a desired outcome. When we ran typechecking on the input programs,
We present our evaluation results for types in the last two we found the majority (289) to have typechecking errors.
columns of Table 1. Since we evaluate on production While surprising, this can be explained by the fact that
JavaScript applications that typically have short methods JavaScript developers typically do not typecheck their
with complex relationships, the recall for predicting pro- annotations. Among others, we found the original code
gram types is only 66.9% for our best system. However, we to have misspelled type names. Most typecheck errors
note that none of the types we infer are inferred by state-of- occur due to missing or conflicting types. In a number
the-art forward type analysis (e.g., Facebook Flow3). of cases, the types provided were interesting for docu-
Since the total number of commonly used types is not as mentation, but were semantically wrong — for exam-
high as the number of names, the amount of training data ple, a parameter is a string that denotes function
has less impact on the system precision and recall. To fur- name, but the manual annotation designates its type to
ther increase the precision and recall of type prediction, we be Function. In contrast, the types reconstructed by
hypothesize that adding more (semantic) relationships JSNice make the majority (227) of programs typecheck.
between program elements would be of higher importance In 141 of programs that originally did not typecheck,
than adding more training data. Dropping structure JSNice was able to infer correct types. On the other
increases the precision of the predicted types slightly, but at hand, JSNice introduced type errors in 21 programs.
the cost of a significantly reduced recall. The reason is that We investigated some of these errors and found that
some types are related to known properties only transitively not all of them were due to wrong types — in several
via other predicted types — relationships that non-struc- cases the predicted types were rejected due to inability
tured approaches cannot capture. On the other end of the of the type system to precisely express the desired pro-
spectrum is a prediction system that suggests for every vari- gram properties without also manually providing type
able the most likely type in JavaScript programs — string. cast annotations.
Such a system has 100% recall, but its precision is only 37.8%.
5.4. Model sizes
5.3. Usefulness of predicted types Our models contain 7,627,484 features for names and
To see if the predicted types are useful, we compared them 70,052 features for types. Each feature is stored as a triple,
to the original ones. First, we note that our evaluation data along with its weight. As a result we need only 20 bytes per

106 COM MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

feature, resulting in a 145.5 MB model for names and 1.3 MB References random fields for image labeling.
model for types. The dictionary which stores all names and 1. Annotating javascript. https://github. CVPR 2004.
com/google/closure-compiler/wiki/ 13. Jensen, S.H., Møller, A., Thiemann, P.
types requires 16.8 MB. As we do not compress our model, Annotating-JavaScript-for-the- Type analysis for javascript. In
the memory requirements for query processing are propor- Closure-Compiler. Proceedings of the 16th International
2. Bitbucket. https://bitbucket.org/. Symposium on Static Analysis,
tional to model size. 3. Facebook flow. https://github.com/ SAS 2009 (Berlin, Heidelberg, 2009),
facebook/flow. Springer-Verlag, pp. 238–255.
4. Github. http://github.com/. 14. Koller, D., Friedman, N. Probabilistic
6. CONCLUSION 5. Google closure compiler. https:// Graphical Models: Principles and
We presented a new probabilistic approach for predicting developers.google.com/closure/compiler/. Techniques. The MIT Press,
6. Shrink your code and resources. Cambridge, Massachusetts and
program properties by learning from large codebases ProGuard for Android Applications: London, England, 2009.
(termed “Big Code”). The core technical idea is to formu- https://developer.android.com/studio/ 15. Lafferty, J.D., McCallum, A., Pereira,
build/shrink-code.html. F.C.N. Conditional Random Fields:
late the problem of property inference as structured pre- 7. Typescript. https://www. Probabilistic Models for Segmenting
diction with CRFs, enabling joint predictions of program typescriptlang.org/. and Labeling Sequence Data. ICML
8. Uglifyjs. https://github.com/mishoo/ 2001 (San Francisco, CA, USA, 2001),
properties. As an instantiation of our method, we pre- UglifyJS. pp. 282–289.
9. Bichsel, B., Raychev, V., Tsankov, P., 16. Quattoni, A., Collins, M., Darrell, T.
sented a system called JSNice that can reverse the process Vechev, M. Statistical deobfuscation Conditional random fields for object
of layout de-obfuscation by predicting name and type of android applications. CCS 2016. recognition. In NIPS (2004),
10. Bielik, P., Raychev, V., Vechev, M.T. 1097–1104.
annotations for JavaScript. Since its public release, PHOG: probabilistic model for code. 17. Ratliff, N.D., Bagnell, J.A., Zinkevich, M.
JSNice has become a popular tool for JavaScript layout In Proceedings of the 33nd (Approximate) subgradient methods
International Conference on Machine for structured prediction. In AISTATS
de-obfuscation. Learning, ICML 2016, New York City, (2007), 380–387.
Interesting items for future work include reversing other NY, USA, June 19–24, 2016 (2016), 18. Raychev, V. Learning from Large
pp. 2933–2942. Codebases. PhD dissertation, ETH
types of obfuscation (beyond layout), extending the approach 11. DARPA. Mining and understanding Zurich, 2016.
to predict semantic invariants of programs, as well as richer software enclaves (muse). http:// 19. Vechev, M., Yahav, E. Programming
www.darpa.mil/news-events/2014– with “big code”. Foundations and
integration with standard program analyzers where the next 03–06a (2014). Trends in Programming Languages 3,
prediction of the machine learning model is guided by a 12. He, X., Zemel, R.S., Carreira-Perpiñán, 4 (2016), 231–284.
M.A. Multiscale conditional
potential counter-example produced by the analyzer to the
previous prediction. Veselin Raychev, Martin Vechev, and
We also remark that over the last few years the field of learn- Andreas Krause ({veselin.raychev, martin.
vechev}@inf.ethz.ch and {krausea@ethz.
ing from “Big Code” has become an active area of research. ch}), ETH Zurich, Zurich, Switzerland.
Recent surveys covering various developments in this space can
be found in Raychev18 and Vechev & Yahav.19 © 2019 ACM 0001-0782/19/3 $15.00

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 107

research highlights
DOI:10.1145/ 33 0 6 2 1 0

Technical Perspective
To view the accompanying paper,
visit doi.acm.org/10.1145/3306208 rh

Isolating a Matching When

Your Coins Go Missing
By Nisheeth K. Vishnoi

M ATC HI N G S I N BI PA RT I TE graphs play a latter problem is known to have an effi- of randomization—the Isolation Lem-
foundational role in a variety of math- cient parallel algorithm. However, the ma. This lemma asserts there is a ran-
ematical, scientific, and engineering MVV algorithm, while very different domized algorithm to assign weights to
disciplines—from Frobenius’ work on from that of Karp et al., also made cru- the edges of a bipartite graph such that
the determinants of matrices, Gale and cial use of randomness in its reduction the minimum-weight perfect match-
Shapley’s influential paper on stable to computing determinants. ing in the graph is unique—just assign
marriages and college admissions, This was not the first instance of a to each edge a weight independently
Tolstoi and Kantorovich’s work on problem in which randomness seemed and randomly from a set of integers
the optimal transportation problem, to help—checking whether a number that is twice the number of edges in the
to the online world where advertise- is prime or not was already a notorious graph. Amazingly, this randomized al-
ments are being matched to users bil- example. In 1977, Solovay and Strassen5 gorithm does not get to see the graph.
lions of times a day. As a consequence, discovered a randomized algorithm Derandomizing the isolation lemma
algorithms for finding matchings in for primality testing but no efficient al- is tantamount to asking the following
bipartite graphs also have a century- gorithm that did not use randomness question—could we also find such a
old history and the pursuit of efficient (called a deterministic algorithm) was weight assignment when we can, in ad-
algorithms for this problem has led to discovered until 30 years later. In 1982, dition, no longer toss coins?
major achievements in computer sci- Valiant6 showed that a natural routing The main result in this paper is the
ence and optimization. problem on a network had an efficient construction of a list of weight assign-
In the 1980s, with the growing avail- randomized algorithm yet every deter- ments via an almost-polynomial, paral-
ability of parallelizable computer archi- ministic algorithm for the problem was lel and deterministic algorithm (which
tectures, the study of whether one can necessarily inefficient. Research on the also does not look at the graph) that
parallelize algorithms for fundamental power of randomness culminated in a has the property that for any bipartite
problems gained significant momen- surprising result by Kabanets and Im- graph of a given size, at least one of
tum. An efficient parallel algorithm pagliazzo in 20032—removing random- the weight assignments isolates the
would distribute the work on several ness from certain efficient algorithms minimum weight perfect matching in
processors in a manner that keeps the can show the non-existence of efficient it. The end result is a gem that comes
longest sequence of dependent tasks algorithms themselves—a question very close to solving an important open
among processors small—ideally, loga- that is a whisker away from the P versus problem, makes an elegant connection
rithmic in the size of the problem. Sev- NP question. between graph theory and derandom-
eral basic problems such as multiplying Thus, understanding the power ization, has been used to make prog-
matrices, solving a system of equations of randomness in computation very ress on a few other important ques-
and computing shortest paths in graphs quickly evolved from being a curiosity tions and, as a bonus, the proof is from
already had such parallel algorithms. to being of profound interest in theo- “The Book.”
For the bipartite matching prob- retical computer science.
lem, however, it turned out that all al- Whether there exists a determin- References
1. Agrawal, M., Kayal, N. and Saxena, N. PRIMES. P. Ann.
gorithms developed so far were inher- istic algorithm for primality testing Math. 160, 2 (2004), 781–793.
ently sequential in nature and, as such, or a deterministic parallel algorithm 2. Kabanets, V. and Impagliazzo, R. Derandomizing
polynomial identity tests means proving circuit lower
were not amenable to parallelization. for bipartite matching remained two bounds. In Proceedings of the 35th Annual ACM Symp.
In 1985, Karp, Upfal, and Wigderson3 outstanding questions at the frontiers Theory of Computing (June 9–11, 2003, San Diego,
CA, USA), 355–364.
presented an efficient parallel algo- of our understanding of the role of 3. Karp, R.M., Upfal, E. and Wigderson, A. Constructing
a perfect matching is in random NC. In Proceedings
rithm for the problem. However, there randomness in computation. The for- of the 17th Annual ACM Symp. Theory of Computing,
was a caveat: their algorithm was ran- mer was solved in 2001 in a remarkable (May 6–8, 1985, Providence, RI, USA), 22–32.
4. Mulmuley, K., Vazirani, U.V. and Vazirani, V.V. Matching
domized, that is, it needed access to paper by Agrawal, Kayal and Saxena.1 is as easy as matrix inversion. Combinatorica 7, 1
independent coin tosses. This result And the latter has been (nearly) recently (1987), 105–113.
5. Solovay, R. and Strassen, V. A fast Monte-Carlo test
was soon followed by a more efficient resolved in the following paper by for primality. SIAM J. Comput. 6, 1 (1977), 84–85.
algorithm by Mulmuley, Vazirani, and Fenner, Gurjar and Thierauf. 6. Valiant, L.G. A scheme for fast parallel
communication. SIAM J. Comput. 11, 2 (1982),
Vazirani in 19874 who, using an old al- The authors show the randomized 350–361.
gebraic characterization of matchings parallel algorithm of MVV can be con-
by Tutte, reduced the problem of com- verted into a deterministic parallel Nisheeth K. Vishnoi is a professor of computer science at
Yale University, New Haven, CT, USA.
puting matchings in graphs to com- algorithm. At the heart of the MVV ap-
puting determinants of matrices—the proach was an extremely powerful use Copyright held by author.

108 COMM UNICATIO NS O F T H E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 DOI:10.1145/ 3 3 0 6 2 0 8

A Deterministic Parallel Algorithm

for Bipartite Perfect Matching
By Stephen Fenner, Rohit Gurjar, and Thomas Thierauf *

Abstract be solved by a parallel computer with polynomially many

A fundamental quest in the theory of computing is to under- processors in poly-logarithmic time.
stand the power of randomness. It is not known whether Lovász19 gave an efficient randomized parallel algorithm
every problem with an efficient randomized algorithm also for the matching problem, putting it in the complexity class
has one that does not use randomness. One of the exten- RNC (randomized NC). The essence of his parallel algorithm
sively studied problems under this theme is that of perfect was a randomized reduction from the matching problem to
matching. The perfect matching problem has a random- a determinant computation. A determinant computation in
ized parallel (NC) algorithm based on the Isolation Lemma turn reduces to matrix multiplication (see4), which is well
of Mulmuley, Vazirani, and Vazirani. It is a long-standing known to have efficient parallel algorithms.
open question whether this algorithm can be derandom- One of the central themes in the theory of computation is
ized. In this article, we give an almost complete deran- to understand the power of randomness, that is, whether all
domization of the Isolation Lemma for perfect matchings problems with an efficient randomized algorithm also have
in bipartite graphs. This gives us a deterministic parallel a deterministic one. The matching problem has been widely
(quasi-NC) algorithm for the bipartite perfect matching studied under this theme. It has been a long-standing open
problem. question whether randomness is necessary for a parallel
Derandomization of the Isolation Lemma means that we matching algorithm, that is, whether the problem is in NC.
deterministically construct a weight assignment so that the One can also ask for a parallel algorithm to construct a
minimum weight perfect matching is unique. We present perfect matching in the graph if one exists (Search-PM). Note
three different ways of doing this construction with a com- that there is a standard search-to-decision reduction for the
mon main idea. matching problem, but it does not work in parallel. Karp,
Upfal, and Wigderson18 and later, Mulmuley, Vazirani, and
Vazirani21 gave RNC algorithms for Search-PM. The latter
1. INTRODUCTION work introduced the celebrated Isolation Lemma and used
A perfect matching in a graph is a subset of edges such that it to solve Search-PM in RNC. They assign some weights to
every vertex has exactly one edge incident on it from the the edges of the graph, call a weight assignment isolating
subset (Figure 1). The perfect matching problem, PM, asks for a graph G if there is a unique minimum weight perfect
whether a given graph contains a perfect matching. The matching in G. Here, the weight of a perfect matching is sim-
problem has played an important role in the study of algo- ply the sum of the weights of the edges in it. Given an isolat-
rithms and complexity. The first polynomial-time algorithm ing weight assignment with polynomially bounded integer
for the problem was given by Edmonds,7 which, in fact, weights, they can find the minimum weight perfect match-
motivated him to propose polynomial time as a measure of ing in G in NC (again via determinant computations).
efficient computation. Note that if we allow exponentially large weights then it
Perfect matching was also one of the first problems to be is trivial to construct an isolating weight assignment: assign
studied from the perspective of parallel algorithms. A par- weight 2i to the ith edge for 1 ≤ i ≤ m, where m is the number
allel algorithm is one where we allow use of polynomially of edges. This, in fact, ensures a different weight for each per-
many processors running in parallel. And to consider a par- fect matching. The challenge, however, is to find an isolat-
allel algorithm as efficient, we require the running time to ing weight assignment with polynomially bounded weights.
be much smaller than a polynomial. In particular, the com- This is where the Isolation Lemma comes in: it states that if
plexity class NC is defined as the set of problems which can each edge is assigned a random weight from a polynomially
bounded range then such a weight assignment is isolating
with high probability.
*Supported by DFG grant TH 472/4.
Note that since there can be exponentially many perfect
matchings in a graph, there will definitely be many colli-
Figure 1. A graph, with the bold edges showing a perfect matching. sions under a polynomially bounded weight assignment,
that is, many perfect matchings will get the same weight.

The original version of this paper is entitled “Bipartite

Perfect Matching is in quasi-NC” and was published in
the Proceedings of the 48th ACM Symposium on the Theory
of Computing (STOC), 2016.

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 109

research highlights

The beauty of the Isolation Lemma is that for the minimum Theorem 1.2. For bipartite graphs, PM and Search-PM are in
weight, there will be a unique perfect matching with high quasi-NC2.
probability.
1.1. The isolation technique
Lemma 1.1 (Isolation Lemma Mulmuley, Vazirani, and At the heart of our isolation approach is a cycle elimination
Vazirani21). Let G(V, E) be a graph, |E| = m, and w ∈ {1, 2, . . ., technique. It is easy to see that if we take a union of two per-
km}E be a uniformly random weight assignment on its edges, fect matchings, we get a set of disjoint cycles and singleton
for some k ≥ 2. Then w is isolating with probability at least edges (see Figure 2). Each of these cycles has even length
1 − 1/k. and has edges alternating from the two perfect matchings.
Cycles thus play an important role in isolating a perfect
Proof. Let e be an edge in the graph. We first give an upper matching. Given a weight assignment on the edges, let us
bound on the probability that there are two minimum- define the circulation of an even cycle C to be the difference
weight perfect matchings, one containing e and other not of weights between the set of odd-numbered edges and the
containing e. For this, say the weight of every other edge set of even-numbered edges in cyclic order around C. Clearly,
except e has been fixed. Let W be the minimum weight of any if all the cycles in the union of two perfect matchings have
perfect matching that avoids e, and let W′ + w(e) be the mini- zero circulations, then the two perfect matchings will have
mum weight of any perfect matching that contains e. the same weight. It turns out that the converse is also true
Now, what is the probability that these two minimum when the two perfect matchings under consideration are of
weights are equal? Since W and W′ are already fixed by the the minimum weight.6 This observation is the starting point
other edges, and w(e) is chosen uniformly and randomly of our cycle elimination technique.
between 1 and km, In the case of bipartite graphs, this observation can be
further generalized. We show that for any weight assign-
ment w on the edges of a bipartite graph, if we consider the
union of all the minimum weight perfect matchings, then
By the union bound, it has only those cycles which have zero circulation (Lemma
2.1). This means that if we design the weights w such that a
particular cycle C has a nonzero circulation, then C does not
appear in the union of minimum weight perfect matchings,
Now, to finish the proof, observe that there is a unique that is, at least one of the edges in C does not participate in
minimum weight perfect matching if and only if there is no any minimum weight perfect matchings. This is the way we
such edge with the above property.  will be eliminating cycles.
If we eliminate all cycles this way, we will get a unique mini-
One way to obtain a deterministic parallel (NC) algorithm mum weight perfect matching, for if there were two minimum
for the perfect matching problem is to derandomize this weight perfect matchings, their union would contain a cycle.
lemma. That is, to deterministically construct such a polyno- However, it turns out that there are too many cycles in the
mially bounded isolating weight assignment in NC. This has graph, and it is not possible to ensure nonzero circulations
remained a challenging open question. simultaneously for all cycles while keeping the edge weights
Derandomization of the Isolation Lemma has been small (proved in17). Instead, what is achievable is nonzero
known for some special classes of graphs, for example, pla- circulation for any polynomially large set of cycles using well-
nar bipartite graphs,6, 26 strongly chordal graphs,5 and graphs known hashing techniques. In short, we can eliminate any
with a small number of perfect matchings.1,14 Here, we pres- desired set of a small number of cycles at once. With this tool
ent an almost complete derandomization of the Isolation in hand we would like to eliminate all cycles—whose number
Lemma for bipartite graphs. The class of bipartite graphs can be exponentially large—in a small number of rounds.
appears very naturally in the study of perfect matchings. A We present three different ways of achieving this. The first
graph is bipartite if there is a partition of its vertex set into two of these have appeared before in different versions of
two parts such that each edge connects a vertex from one our article.10 The third has not appeared anywhere before.
part to a vertex from the other (the graph in Figure 1 is bipar-
tite). Thus, a perfect matching in a bipartite graph matches
Figure 2. Two perfect matchings, with red and blue edges,
every vertex in one part to exactly one vertex in the other. respectively. Their union forms a set of disjoint cycles and edges.
In Section 3, we construct an isolating weight assignment
for bipartite graphs with quasi-polynomially large (nO(log n))
weights, where n is the number of vertices in the graph. Note
that this is slightly worse than what we would have ideally
liked, which is—polynomially bounded weights. Hence, we
do not get an NC algorithm. Instead, we get that for bipartite
graphs, the problems PM and Search-PM are in quasi-NC2.
That is, the problems can be solved in O(log2 n) time using
nO(log n) parallel processors. A more detailed exposition is in
the conference version of the article.10

110 CO MM UNICATIO NS O F T H E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

 1. In the first approach, in the ith round, we eliminate all The following lemma about circulations of cycles gives
cycles of length at most 2i+1. Hence, we eliminate all us a way to eliminate cycles. For a weight assignment w on
cycles in log n rounds. Each round is efficient because the edges of a graph G, let Gw be the union of minimum
if a graph does not have any cycles of length at most , weight perfect matchings, that is, it is a subgraph of G that
then the number of cycles up to length 2 is polynomi- has exactly those edges that are present in some minimum
ally bounded.25, 23 weight perfect matching in G.
2. In the second approach, first we eliminate all cycles of
length at most 4 log n. The bound we have on the num- Lemma 2.1 (Zero circulation). Let w be a weight function
ber of such cycles is quasi-polynomial in n. Alon, Hoory, on the edges of a bipartite graph G. Let C be a cycle in the sub-
and Linial2 have shown that any graph which does not graph Gw. Then circw(C) = 0.
contain any cycle of length ≤4 log n must have average
degree at most 2.5, and thus must have at least a con- The following corollary is immediate, which shows how
stant fraction of nodes with degree 2 or less. From the the above lemma can be used to eliminate cycles.
resulting graph, we remove all nodes of degree 1, and
we contract degree-2 nodes one by one (identifying the Corollary 2.2 (Cycle elimination). Let C be a cycle in a
two neighbors), until there are no degree-2 nodes left. bipartite graph G and w be a weight function on its edges such
This creates new small cycles in the graph. We then that circw(C) ≠ 0. Then C is not present in Gw.
repeat the procedure of eliminating cycles of length at
most 4 log n from the new graph. In each round the There are several ways to prove Lemma 2.1.
number of nodes decreases by a constant fraction.
Thus, after O(log n) rounds, we eliminate all nodes and 1. In our original article,10 we presented a proof based
hence, all cycles. on properties of the perfect matching polytope. In the
3. In the third approach, instead of considering the argument, the center point of the polytope is slightly
lengths of the cycles, we try to pick as many edge-dis- moved along cycle C, so that the point stays in the
joint cycles as possible and eliminate them. Note that polytope. This implies that the circulation of C must
edge-disjointness ensures that we will eliminate at be zero.
least as many edges as cycles. Erdös and Pósa9 showed 2. After the first version of our article was published,
that any graph with m edges and n nodes contains Rao, Shpilka, and Wigderson (see [Goldwasser and
edge-disjoint cycles. A careful argument Grossman,13 Lemma 2.4]) came up with an alternate
shows that in O(log2 n) rounds, we eliminate enough proof of Lemma 2.1, similar to ours, but based on
edges so that no cycles are left. Hall’s Theorem instead of the matching polytope.
3. In a column for SIGACT News,11 we gave a geometric
As we will see later, the first approach is more efficient than proof, where we just argue via vectors being parallel or
the other two. We still think it is interesting to see different perpendicular to each other. One might consider this
ways of achieving isolation, as they might lead to better ideas the shortest and most elegant of the proofs.
for getting isolation with polynomially bounded weights 4. Nevertheless, in Section 2.1 below, we present a fourth
or isolation in other settings. Another interesting point is proof that we find very nice. It is based on LP duality.
that our second approach was used in designing a pseudo-
deterministic RNC algorithm for bipartite matching.13 2.1. LP formulation for perfect matching
Our crucial technical result (Lemma 2.1) about eliminat- The minimum weight perfect matching problem on bipar-
ing cycles has a proof based on linear programming (LP) tite graphs has a simple and well-known LP formulation.
duality. In the next section, we describe a LP formulation for Let G be a bipartite graph with vertex set V and edge set E.
bipartite perfect matching and its dual, and then use it to Then the following linear program captures the minimum
prove our result. Finally in Section 3, we formally describe weight perfect matching problem (see, for example, Lovász
the weight construction and the three approaches to elimi- and Plummer20).
nate all cycles.

2. CYCLE ELIMINATION VIA NONZERO CIRCULATIONS (1)

In this section, we formally describe our main technical tool
which enables cycle elimination. Let us first give a formal (2)
definition of cycle circulation. For a weight assignment w
on the edges of a graph G, the circulation circw(C) of an even- where d(v) denotes the set of edges incident on a vertex v.
length cycle C = (v1, v2, . . ., vk) is defined as the alternating The linear program has one variable xe for each edge in the
sum of the edge weights around C: graph. Intuitively, xe = 1 represents that the edge e is present
in the perfect matching and xe = 0 represents that e is not
in the perfect matching. Then, Equation (2) is simply say-
ing that a perfect matching contains exactly one edge from
The definition is independent of the edge we start with the set of edges incident on a particular vertex. The objec-
because we take the absolute value of the alternating sum. tive function asks to minimize the sum of the weights of the

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 111

research highlights

edges present in a perfect matching, that is, the weight of a ways to construct a weight function which ensures nonzero
perfect matching. circulations for any small set of cycles simultaneously, see
An important point to note here is that the above LP for- for example.12
mulation works only for bipartite graphs, and this is the rea-
son our proof does not work for general graphs. Lemma 3.1. Let C be any set of s cycles in graph G(V, E) and let
From the standard theory of LP duality, the following is the E = {e1, e2, . . ., em}. For j ∈ , we define weights
dual linear program for minimum weight perfect matching.
Since in the primal LP above we had an equality constraint for
each vertex, here we have a variable for each vertex.

Then there exists a j ≤ ms such that

 (3)

Note that the dual variables do not have any non-negativity Note that the above lemma actually gives a list of weight
constraint, since the primal constraints are equalities. functions such that for any desired set of cycles, at least one
It follows from strong LP duality that the optimal values of the weight functions in the list works. Also observe that the
of these two linear programs are equal. This will be crucial weight of any edge under any of these functions is bounded
for the proof of Lemma 2.1. by ms. That is, the weights are polynomially bounded as long
as the number of cycles is.
Proof of Lemma 2.1. Let e = (u, v) be any edge participating The isolating weight assignment is now constructed in
in a minimum weight perfect matching, in other words, e is rounds. The strategy is to keep eliminating a small number
an edge in Gw. Let y ∈ V be a dual optimal solution. We claim (poly or quasi-poly) of cycles in each round by giving them
that the dual constraint (3) corresponding to e is tight, that nonzero circulations. This is repeated until we are left with
is, no cycles. In every round, we add the new weight function
(4) to the current weight function on a smaller scale. This is to
ensure that the new weights do not interfere significantly
This can be seen as follows: for any minimum weight perfect with the circulations of cycles which have been already elim-
matching M, its weight by definition is the primal optimal inated in earlier rounds.
value, and thus, by strong duality must be equal to the dual In more detail, if wi is the current weight function in
optimal value. That is, the ith round, then in the next round, we will consider the
weight function wi+1 = Nwi + w′, for some weight function
w′ and a large enough number N. The number N is chosen
to be larger than n ⋅ maxe w′(e), which ensures that Nwi gets
Note that a sum over all vertices is the same as a sum over precedence over w′. The weight function w′ is designed to
the end points of all the edges in a perfect matching. Thus, ensure nonzero circulations for a desired set of cycles in .
These cycles will not appear in . We will keep eliminat-
 (5) ing cycles in this way until we obtain a w such that Gw has no
cycles. Recall that Gw is defined to be the union of minimum
Together with (3), Equation (5) implies Equation (4). weight perfect matchings with respect to w, and thus, con-
Now, let C = (u1, u2, …, u2k) be a cycle in Gw. Since each edge tains at least one perfect matching. Since Gw has no cycles,
in C is part of some minimum weight perfect matching, by it must have a unique perfect matching, and so, w is isolat-
(4), all the edges of C are tight w.r.t. the dual optimal solution ing for G. Figure 3 shows a graph where an isolating weight
y. Hence, assignment is constructed in 3 rounds using our Approach 1,
described below.
Bound on the weights. If we want to assign nonzero
circulations to at most s cycles in each round, then the
weights are bounded by ms by Lemma 3.1. If there are k such
rounds, the bound on the weights becomes O( (nms)k). As we
Hence, every cycle in Gw has zero circulation.  will see later, the quantity (nms)k will be quasi-polynomially
bounded.
3. CONSTRUCTING AN ISOLATING WEIGHT Recall that Lemma 3.1 gives a list of ms candidate weight
ASSIGNMENT functions such that at least one of them gives nonzero circu-
Corollary 2.2 gives us a way to eliminate cycles. Suppose lations to all the s cycles chosen in a round. We need to try
C is a cycle in graph G. If we construct a weight assignment all possible (ms)k combinations of these candidate functions
w such that circw(C) ≠ 0 then the cycle C will not be present coming from each round. Our quasi-NC algorithm tries all
in Gw, that is, at least one edge of C will be missing. these combinations in parallel.
We will be applying this technique on a small set of Now, the crucial question left in our isolating weight
chosen cycles. As mentioned earlier, there are standard construction is this: how to eliminate all cycles, which are

112 COMM UNICATIO NS O F T H E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

Figure 3. Iterative construction of an isolating weight assignment on a bipartite graph.
e6 e1 e7 e8

G is a 10-node graph with 12 edges

e0 e5 e11 e2
e0, . . . , e11.

e4 e10 e9 e3

64 2 128 256

1 32 2048 4 The initial weights are w(ei) := 2i.

16 1024 512 8

1 2 2 1
Take w(mod 3). The 4-cycles are gone, but
1 2 2 1 only e5 is removed in the derived graph—the
union of 3 min matchings (blue, red, green).
1 1 2 2

1 2 2 4
Take w(mod 7) . The 6-cycles are gone, but
1 4 4 4
only e11 is removed in the derived graph—
the union of the blue and red matchings
(the non-min-weight green does not survive).
2 2 1 1

4 2 3 1
Take w(mod 5) . The 10-cycle is now gone
1 2 3 4 and only the blue matching survives in the
derived graph.
1 4 2 3

114 222 223 141

Combining the reduced weights gives us a
weight function that isolates the blue matching
111 242 243 144
as unique with min weight. Numbers can be
interpreted in any radix ≥5 in this example.
121 124 212 213

possibly exponentially many, in a small number of rounds, 3.1. Approach 1: Doubling the lengths of the cycles
while only eliminating a small number of cycles in each Here, the idea is to double the length of the cycles that we
round. We present three different approaches for this. Each want to eliminate in each round. There will be log n rounds.
approach will have a different criterion for choosing a small In the ith round, we eliminate all cycles of length at most
set of cycles, which are to be eliminated in a round. The rest 2i+1, and thus we eliminate all cycles in log n rounds. The fol-
of the procedure is common to all three approaches. The fol- lowing lemma shows that if we have already eliminated all
lowing table gives, for each approach, the number of cycles the cycles of length at most 2i then the number of cycles of
chosen in each round and the number of rounds required to length 2i+1 is polynomially bounded, for any i.
eliminate all cycles. Here we use m ≤ n2.
Lemma 3.2 (Subramanian23). Let H be a graph with n nodes
Number of cycles Number that has no cycles of length at most r, for some even number
in each round of rounds Bound on the weights r ≥ 4. Then H has at most n4 cycles of length at most 2r.
Approach 1 n4 O(log n) nO(log n)
Approach 2 nO(log n) O(log n) nO(log n)
2

Proof. Let C be a cycle of length ≤2r in G. We choose four

Approach 3 O(n2) O(log2 n) nO(log n)
2

vertices u0, u1, u2, u3 on C, which divide it into four almost

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 113

research highlights

equal parts. We associate the tuple (u0, u1, u2, u3) with C. We Figure 4. Deleting a degree-2 node v and identifying its two neighbors
claim that C is the only cycle associated with (u0, u1, u2, u3). u and w—an operation which preserves perfect matchings and cycles.
For the sake of contradiction, let there be another such cycle
C′. Let p ≠ p′ be paths of C and C′, respectively, that connect
the same u-nodes. As the four segments of C and C′ are of
equal length, we have |p|, |p′| ≤ r/2. Thus, p and p′ create a u
cycle of length ≤r, which is a contradiction. Hence, a tuple
is associated with only one cycle. The number of tuples of v {u, w}
four nodes is bounded by n4 and so is the number of cycles
of length ≤2r. 
w
3.2. Approach 2: Eliminating small cycles implies a
small average degree
Here, the idea is to use a result of Alon, Hoory, and Linial,2
which states that a graph with no small cycles must have
many nodes of degree ≤2. To get an intuitive understanding G0 have degree ≥3. By Lemma 3.3, graph G0 again has small
of this, consider a graph where each node has degree at least cycles of length ≤4 log n. Now, we can repeat the procedure
3: do a breadth-first search of the graph starting from an of eliminating all cycles of length ≤4 log n with G0.
arbitrary node until depth log n. When one reaches a node In every round, the number of nodes in the graph decreases
v via an edge e, there are at least 2 edges incident on v other by a constant fraction. Thus, in O(log n) rounds, we eliminate
than e. So, the search tree contains a binary tree of depth log all cycles and reach the empty graph. One can easily obtain a
n. The nodes in the tree cannot be all distinct, because oth- unique perfect matching in the original graph G, by reversing
erwise we would have strictly more than 2log n = n nodes. A all the degree-1 deletions and degree-2 collapses.
node that appears twice in the search tree gives us a cycle of
length at most 2 log n. In other words, if there are no cycles 3.3. Approach 3: Eliminating a maximum size set of
of length at most 2 log n, then the graph must have a node edge-disjoint cycles
with degree 2 or less. Alon, Hoory, and Linial2 generalize In this approach, we do not consider the lengths of the
this intuition to show that as the length of the shortest cycle cycles. Instead, in each round we pick as many edge-disjoint
increases, the average degree gets closer to 2. cycles as possible. Recall that eliminating a cycle means that
at least one of its edges will not be present in the graph in the
Lemma 3.3 (Alon, Hoory, and Linial). Let H be a graph with next round. Hence, when we eliminate a set of edge-disjoint
no cycles of length <4 log n. Then H has average degree <2.5. cycles, we will eliminate at least as many edges. Once we
remove enough edges, we will be left with no cycles.
In this approach, we start by eliminating all cycles in graph Let G be a graph with n vertices and m edges. The number
G of length ≤4 log n. It is easy to see that the number of such of cycles picked in each round is trivially bounded by m. The
cycles will be bounded by n4 log n. Lemma 3.3 implies that after non-trivial part is to come up with a lower bound. Erdös and
this, a constant fraction of the nodes in G have degree ≤2. Pósa9 showed that G has at least edge-disjoint
Having many nodes of degree ≤2 is quite useful when we cycles. We will argue that if we eliminate a maximum size
are interested in perfect matchings because they provide a set of edge-disjoint cycles in a round, then the quantity m − n
way to shrink the graph while preserving perfect matchings. decreases by a significant fraction in every round.

1. Let v be node of degree 1 in G and u be the unique neigh- Lemma 3.4. Let G be a connected graph with n vertices and m
bor of v. Recall that our graph after every round is always edges. Let C be a maximum size set of edge-disjoint cycles in G.
a union of perfect matchings. Therefore, u has degree 1 Let H be any subgraph of G obtained by deleting at least one
as well. Hence, we can simply delete u and v from G. edge from each cycle in C. Then for any connected component H1
2. Let v be a node of degree 2 in G with its neighbors u of H with n1 vertices and m1 edges,
and w. Now, construct a new graph G′ from G by delet-
ing v and identifying u and w to get a single node {u, w}
(see Figure 4). We refer to this operation as collapsing
the node v. Observe that perfect matchings of G and G′
are in one-to-one correspondence. Proof. Let |C| = k. Let H′ be any subgraph of G such that H
is a subgraph of H′ and for each cycle in C, exactly one edge is
Note also that any cycle in G appears in G′ with the degree-2 missing in H′. Note that H′ is still connected, since the cycles
nodes cut out, that is, cycles get shorter in G′. in C are edge-disjoint. The difference between the number of
To further proceed in this approach, we first collapse all edges and vertices of H′ is m − n − k.
degree-2 nodes in G (one by one) and delete all degree-1 nodes. Since H is obtained by deleting possibly some more
Let G0 be the resulting graph. Since there were a constant frac- edges from H′, for any connected component of H, the dif-
tion of nodes with degree ≤2 in G, the number of nodes in G0 ference between the number of edges and vertices cannot
decreases by a constant fraction. Note also that all nodes in be larger than m − n − k. Now, the lemma follows from the

114 CO M MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

above lower bound of Erdös and Pósa9 on the number of discussions on the number of shortest cycles, and Nisheeth
edge-disjoint cycles.  Vishnoi for helpful comments.

Let us repeat the procedure of eliminating a maximum References

1. Agrawal, M., Hoang, T.M., Thierauf, T. abstract). In 28th Annual Symposium
size set of edge-disjoint cycles. It follows from the lemma The polynomially bounded perfect on Foundations of Computer Science
that after O(log2 n) rounds, each component of the obtained matching problem is in NC2. In 24th (FOCS) (Los Angeles, California, USA,
International Symposium on Theoretical October 27–29, 1987), 166–172.
graph will have a constant difference between the number of Aspects of Computer Science (STACS), 15. Gurjar, R., Thierauf, T. Linear matroid
edges and vertices. At this stage, each component will have volume 4393 of Lecture Notes in intersection is in quasi-NC. In
Computer Science (Berlin Heidelberg, Proceedings of the 49th Annual ACM
only constantly many cycles. And so, in one more round we 2007). Springer, 489–499. SIGACT Symposium on Theory of
will eliminate all cycles. 2. Alon, N., Hoory, S., Linial, N. The Computing (Montreal, QC, Canada, June
Moore bound for irregular graphs. 19–23, 2017), STOC 2017, 821–830.
A different view on the third approach is by considering Graphs Comb. 18, 1 (2002), 53–57. 16. Gurjar, R., Thierauf, T., Vishnoi, N.K.
the dimension of the perfect matching polytope. For a con- 3. Anari, N., Vazirani, V.V. Planar graph Isolating a vertex via lattices: Polytopes
perfect matching is in NC. Technical with totally unimodular faces. In 45th
nected bipartite graph, where each of its edges belong to Report arXiv:1709.07822, CoRR, 2017. International Colloquium on Automata,
some perfect matching, the perfect matching polytope has 4. Berkowitz, S.J. On computing the Languages, and Programming (ICALP)
determinant in small parallel time using (Prague, Czech Republic, July 9–13,
dimension m − n + 1 [Lovász and Plummer,20 Theorem 7.6.2]. a small number of processors. Inform. 2018), 74:1–74:14.
Thus, the argument of this approach can also be viewed as Process. Lett. 18, 3 (1984), 147–150. 17. Kane, D., Lovett, S., Rao, S. The
5. Dahlhaus, E., Karpinski, M. Matching independence number of the birkhoff
decreasing the dimension of the perfect matching polytope and multidimensional matching in polytope graph, and applications to
chordal and strongly chordal graphs. maximally recoverable codes. In
by a fraction in each round and eventually reaching dimen- Discrete Appl. Math. 84 (1998), 79–91. 58th IEEE Annual Symposium on
sion zero, that is, just one perfect matching point. 6. Datta, S., Kulkarni, R., Roy, S. Foundations of Computer Science
Deterministically isolating a perfect (Berkeley, CA, USA, October 15–17,
matching in bipartite planar graphs. 2017), FOCS 2017, 252–259.
4. FURTHER DEVELOPMENTS Theory Comput. Syst. 47 (2010), 18. Karp, R.M., Upfal, E., Wigderson, A.
737–757. Constructing a perfect matching is
After years of inactivity, our result inspired a series of follow- 7. Edmonds, J. Paths, trees, and owers. in random NC. Combinatorica, 6, 1
up works on parallel algorithms for perfect matching and the Can. J. Math. 17 (1965), 449–467. (1986), 35–48.
8. Eppstein, D., Vazirani, V.V. NC 19. Lovász, L. On determinants,
Isolation Lemma. In one direction, our isolation approach algorithms for perfect matching matchings, and random algorithms.
was generalized to the broader settings of matroid intersec- and maximum ow in one-crossing- In Fundamentals of Computation
minor-free graphs. Technical Report Theory (Berlin/Wendisch-Rietz (GDR),
tion and polytopes with totally unimodular faces, respec- arXiv:1802.00084, CoRR, 2018. September 17–21, 1979), 565–574.
tively.15, 16 For these general settings, the right substitute for 9. Erdös, P., Pósa, L. On the maximal 20. Lovász, L., Plummer, M.D. Matching
number of disjoint circuits of a graph. Theory. North-Holland mathematics
cycles are integer vectors parallel to a face of the associated Publ. Math. Debrecen 9 (1962), 3–12. studies. Elsevier Science Ltd, 1986.
polytope. Following our first approach, if one eliminates 10. Fenner, S., Gurjar, R., Thierauf, T. 21. Mulmuley, K., Vazirani, U.V., Vazirani, V.V.
Bipartite Perfect Matching is in Matching is as easy as matrix inversion.
vectors of length ≤2i, then there are only polynomially many quasi-NC. In Proceedings of the Combinatorica, 7 (1987), 105–113.
vectors of length ≤2i+1, in their respective settings (see15, 16 48th ACM Symposium on the Theory 22. Sankowski, P. NC algorithms
of Computing (STOC) (Cambridge, for weighted planar perfect
for details). It is not clear, however, if our second and third MA, USA, June 18–21, 2016). matching and related problems.
arXiv:1601.06319; ECCC TR15-177. In 45th International Colloquium
approaches work in these settings. 11. Fenner, S., Gurjar, R., Thierauf, T. on Automata, Languages, and
In another direction, Svensson and Tarnawski24 gener- Guest column: Parallel algorithms for Programming (ICALP) (Prague, Czech
perfect matching. SIGACT News 48, Republic, July 9–13, 2018), 97:1–97:16.
alized the isolation result to perfect matchings in general 1 (Mar. 2017), 102–109. 23. Subramanian, A. A polynomial bound
graphs. They use the basic framework of our first approach as 12. Fredman, M.L., Komlós, J., Szemerédi, E. on the number of light cycles in an
Storing a sparse table with O(1) worst undirected graph. Inform. Process.
the starting point, but they need to combine the technique case access time. J. ACM, 31, 3 (June Lett. 53, 4 (1995), 173–176.
of eliminating cycles with a second parameter (contractabil- 1984), 538–544. 24. Svensson, O., Tarnawski, J. The
13. Goldwasser, S., Grossman, O. matching problem in general graphs
ity) to control the progress in subsequent rounds. Bipartite perfect matching in is in quasi-NC. In 58th IEEE Annual
The techniques developed by us and by Svensson and pseudo-deterministic NC. In Symposium on Foundations of Computer
44th International Colloquium Science (Berkeley, CA, USA, October
Tarnawski were used by Anari and Vazirani3 to compute a on Automata, Languages, and 15–17, 2017), FOCS 2017, 696–707.
perfect matching in planar graphs in NC (see also22), which Programming (Warsaw, Poland, 25. Teo, C.P., Koh, K.M. The number of
July 10–14, 2017), ICALP 2017, 13, shortest cycles and the chromatic
also was a long-standing open problem. They show that the 87:1–87. uniqueness of a graph. J. Graph
sets to be contracted, odd sets of vertices that form a tight 14. Grigoriev, D., Karpinski, M. The Theory 16, 1 (1992), 7–15.
matching problem for bipartite 26. Tewari, R., Vinodchandran, N. Green’s
cut in the LP-constraints, can be computed in NC. In a sub- graphs with polynomially bounded theorem and isolation in planar graphs.
sequent work, the NC algorithm was further generalized to permanents is in NC (extended Inform. Comput. 215 (2012), 1–7.

one-crossing-minor-free graphs.8
Stephen Fenner ([email protected]), Thomas Thierauf (thomas.
The Isolation Lemma has applications in many different University of South Carolina, Columbia, [email protected]), Aalen University,
settings—in particular, in design of randomized algorithms. SC, USA. Germany.
Rohit Gurjar (rohitgurjar0@gmail.
The main open question that remains is for what other settings com), California Institute of Technology,
Pasadena, CA, USA.
can one derandomize the Isolation Lemma. We conjecture
that our isolation approach works for any family of sets whose
corresponding polytopes are described by 0/1 constraints.

Acknowledgments
We would like to thank Manindra Agrawal and Nitin Saxena
for their constant encouragement and very helpful discus-
sions. We thank Arpita Korwar for discussions on some
other techniques used in this research, Jacobo Torán for © 2019 ACM 0001-0782/19/3 $15.00

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 115

CAREERS

National University of Singapore ˲˲ Computer Systems (including Networks, Cloud work on multiple projects simultaneously.
Sung Kah Kay Assistant Professorship in all Computing, IoT, Software Engineering, etc.) Visit UA’s staff employment website at jobs.
areas of Computer Science ˲˲ Cognitive Robotics and Autonomous Systems ua.edu for information and to apply.
˲˲ Cybersecurity (including Cryptography) The University of Alabama is an equal-oppor-
The Department of Computer Science at the Applicants should have an earned Ph.D. de- tunity employer (EO), including an EOE of pro-
National University of Singapore (NUS) invites gree and demonstrated achievements in both tected vets and individuals with disabilities.
applications for the Sung Kah Kay Assistant Pro- research and teaching. The teaching language at
fessorship. Applicants can be in any area of com- SUSTech is bilingual, either English or Putong-
puter science. This prestigious chair was set up in hua. It is perfectly acceptable to use English in all University of Maine
memory of the late Assistant Professor Sung Kah lectures, assignments, exams. In fact, our exist- School of Computing and Information Science
Kay. Candidates should be early in their academic ing faculty members include several non-Chinese Tenure-Track Assistant Professor of Computer
careers and yet demonstrate outstanding research speaking professors. Science
potential, and strong commitment to teaching. As a State-level innovative city, Shenzhen has
The Department enjoys ample research fund- identified innovation as the key strategy for its The University of Maine School of Computing
ing, moderate teaching loads, excellent facilities, development. It is home to some of China’s most and Information Science seeks applicants for a
and extensive international collaborations. We have successful high-tech companies, such as Huawei tenure-track, academic-year Assistant Professor
a full range of faculty covering all major research ar- and Tencent. SUSTech considers entrepreneur- position, with an anticipated start date of Sep-
eas in computer science and boasts a thriving PhD ship as one of the main directions of the univer- tember 1, 2019. Our primary target focus is the
program that attracts the brightest students from sity. Strong supports will be provided to possible broad area of data science (machine learning,
the region and beyond. More information is avail- new initiatives. SUSTech encourages candidates data mining, data management, information re-
able at www.comp.nus.edu.sg/careers. with experience in entrepreneurship to apply. trieval, natural language processing, computer vi-
NUS is an equal opportunity employer that The Department of Computer Science and sion, data visualization, etc.), but we will consider
offers highly competitive salaries, and is situated Engineering at SUSTech was founded in 2016. exceptionally qualified candidates in all areas.
in Singapore, an English-speaking cosmopolitan It has 17 professors, all of whom hold doctoral
city that is a melting pot of many cultures, both degrees or have years of experience in overseas Knowledge, skills, and qualifications. We are par-
the east and the west. Singapore offers high-qual- universities. Among them, three are IEEE fellows; ticularly interested in candidates who comple-
ity education and healthcare at all levels, as well one IET fellow. The department is expected to ment the School’s existing research strengths in
as very low tax rates. grow to 50 tenure track faculty members eventu- Artificial Intelligence (AI), Data Management,
ally, in addition to teaching-only professors and Distributed Systems, Human-Computer Interac-
Application Details: research-only professors. tion (HCI), Cybersecurity/Privacy, Data Visual-
˲˲ Submit the following documents (in a single SUSTech is committed to increase the diversi- ization, and Spatial Informatics with potential
PDF) online via: https://faces.comp.nus.edu.sg. ty of its faculty, and has a range of family-friendly for collaborations within the School. The abil-
• A cover letter that indicates the position ap- policies in place. The university offers competi- ity to contribute to campus-wide Signature and
plied for and the main research interests tive salaries and fringe benefits including medi- Emerging areas of excellence in Data Science and
• Curriculum Vitae cal insurance, retirement and housing subsidy, STEM Education Research also would be viewed
• A teaching statement which are among the best in China. Salary and favorably. Candidates should have a record of
• A research statement rank will commensurate with qualifications and research excellence as demonstrated by relevant
˲˲ Provide the contact information of 3 referees experience. More information can be found at and recent publications in top peer-reviewed con-
when submitting your online application, or, ar- http://talent.sustc.edu.cn/en. ferences or journals, presentations at significant
range for at least 3 references to be sent directly We provide some of the best start-up pack- conferences, and evidence of potential for suc-
to [email protected]. ages in the sector to our faculty members, includ- cess in attracting external funding. Successful
˲˲ Application reviews will commence immedi- ing one PhD studentship per year, in addition to teaching experience and documented participa-
ately and continue until the position is filled a significant amount of start-up funding (which tion in activities promoting inclusive excellence
˲˲ If you have further enquiries, please contact the can be used to fund additional PhD students and are also highly desired. A Ph.D. in computer sci-
Search Committee Chair, Weng-Fai Wong, at cs- postdocs, research travels, and research equip- ence or a closely related discipline is required by
[email protected]. ments). date of hire, as is documented recent research.
To apply, please provide a cover letter iden-
tifying the primary area of research, curriculum Essential duties and responsibilities. The suc-
Southern University of Science and vitae, and research and teaching statements, and cessful candidate will be expected to establish a
Technology (SUSTech) forward them to [email protected]. productive research program in their field of ex-
Professor Position in Computer Science and pertise; to be an engaging teacher, adviser, and
Engineering mentor at both the undergraduate and graduate
University of Alabama levels; and to make a strong commitment to the
The Department of Computer Science and Engi- Programmer Analysts III (6) development of innovative computing curricula.
neering (CSE, http://cse.sustc.edu.cn/en/), South- The typical teaching load is three courses per
ern University of Science and Technology (SUS- The University of Alabama seeks 6 Programmer year, including both undergraduate and graduate
Tech) has multiple Tenure-track faculty openings Analysts III for its Tuscaloosa, AL Location. courses. Service to the School, College, Univer-
at all ranks, including Professor/Associate Profes- ˲˲ Master’s degree; OR Bachelor’s degree and two sity, and profession is expected.
sor/Assistant Professor. We are looking for out- (2) years of IT experience. Must include some The School (umaine.edu/scis) is an interdis-
standing candidates with demonstrated research .NET C# experience. ciplinary unit encompassing Computer Science,
achievements and keen interest in teaching, in ˲˲ Ability to effectively communicate, both ver- Spatial Informatics, and New Media and offering
the following areas (but are not restricted to): bally and in writing with uses of varying degrees degrees in Computer Science (BS, BA, MS, Ph.D.),
˲˲ Data Science of technical ability and understanding. Spatial Information Science and Engineering
˲˲ Artificial Intelligence ˲˲ Effective time management skills and ability to (MS, Ph.D.), Information Systems (MS), and New

116 CO M MUNICATIO NS O F TH E AC M | M A R C H 201 9 | VO L . 62 | NO. 3

Media (BA). This disciplinary breadth results in diversity goals (e.g. incorporate issues of diversity include: (1) cover letter with a clear description
abundant opportunities for easy and exciting col- into mentoring, curriculum, service or research). of experience relevant to each of the required
laboration. The School has 20 full-time faculty and preferred qualifications; (2) vita including
members and enrolls approximately 300 under- Duties include: (1) Teach undergraduate and a list of at least three references; (3) a statement
graduate and 45 graduate students. In addition to graduate courses including networks; (2) Con- (two-page total) of how candidate’s research
the tenure-track assistant professor position, our duct research in at least one of the expertise will expand/complement the current research
growing School is also currently recruiting a full- areas listed above; (3) Secure external funding in ENCS and a list of the existing ENCS courses
time lecturer. The University of Maine is the flag- for research; and (4) Participate in service to the the candidate can teach and any new courses the
ship campus of the University of Maine System department and university through committee candidate proposes to develop; and (4) a state-
and is the principal graduate institution in the work, recruitment, and interaction with industry. ment on equity and diversity (guidelines found
state. It is the state’s land and sea grant univer- WSU Vancouver serves about 3,400 graduate at https://admin.vancouver.wsu.edu/sites/admin.
sity, enrolling over 11,000 students. The Univer- and undergraduate students and is fifteen miles vancouver.wsu.edu/files/Diversity%20Statement%
sity of Maine is home to the Rising Tide Center, north of Portland, Oregon. The rapidly growing 20Guidelines.pdf). Application deadline is April
launched with support from NSF’s ADVANCE pro- School of Engineering and Computer Science 7, 2019.
gram and continuing its mission to advance gen- (ENCS) equally values both research and teach- WASHINGTON STATE UNIVERSITY IS AN
der equity. Numerous cultural activities, excellent ing. WSU is Washington’s land grant university EQUAL OPPORTUNITY/AFFIRMATIVE ACTION
public schools in neighborhoods where children with faculty and programs on five campuses. For EDUCATOR AND EMPLOYER. Members of eth-
can walk to school, high-quality medical care, more information: http://ecs.vancouver.wsu.edu. nic minorities, women, special disabled veterans,
little traffic, and a reasonable cost of living make WSU Vancouver is committed to building a cul- veterans of the Vietnam-era, recently separated
the greater Bangor area a wonderful place to live. turally diverse educational environment. veterans, and other protected veterans, persons
The University is located just 60 miles from the of disability and/or persons age 40 and over are
scenic Bar Harbor area and Acadia National Park Application: Please visit www.wsujobs.com and encouraged to apply. WSU employs only U.S. citi-
and two hours from Portland. search postings by location. Applications must zens and lawfully authorized non-U.S. citizens.
Increasing the diversity of the computing pro-
fession is one of our strategic priorities. Women
and those from groups traditionally underrepre-
sented in computing fields are particularly en-
couraged to apply.
To apply, visit bit.ly/UMaineCSTTPosition
(or check umaine.hiretouch.com). A complete
application includes a letter of application, CV,
teaching statement, research statement, and list
of references. The letter of application should
directly address the applicant’s qualifications as
described above. Please also provide contact in-
formation for at least three references who can ADVERTISING IN
CAREER OPPORTUNITIES
address the applicant’s research and teaching
qualifications and accomplishments. Letters of
reference may be requested at a later stage. Ques-
tions may be directed to Dr. Silvia Nittel, Chair, CS
Faculty Search Committee, University of Maine,
How to Submit a Classified Line Ad:
5711 Boardman Hall, Orono, ME 04469-5711 or Send an e-mail to [email protected]. Please include text,
[email protected]. Incomplete application and indicate the issue/or issues where the ad will appear, and a
materials cannot be considered. Review of appli-
cations will begin 1/31/2019 and continue until contact name and number.
the position is filled.
The University of Maine, an EO/AA employer, Estimates:
seeks to employ outstanding people who con- An insertion order will then be e-mailed back to you. The ad will
tribute to the rich cultural diversity expected in
a university setting. All qualified individuals are
by typeset according to CACM guidelines. NO PROOFS can be sent.
encouraged to apply. Classified line ads are NOT commissionable.

Deadlines:
Washington State University Vancouver 20th of the month/2 months prior to issue date. For latest deadline
Tenure-Track Position at the Assistant
Professor Level info, please contact:
[email protected]
Computer Science Faculty - Washington State
University Vancouver invites applications for a
full-time tenure-track position at the assistant
Career Opportunities Online:
professor level beginning 8/16/2019. Candidates Classified and recruitment display ads receive a free duplicate
from all areas of computer science, including listing on our website at:
theory, will be considered with preference given
to expertise in computer networks, wireless net- http://jobs.acm.org
works or sensor networks.
Ads are listed for a period of 30 days.
Required qualifications: Ph.D. in Computer Sci-
ence or Software Engineering by the employment For More Information Contact:
start date and demonstrated ability to (1) develop ACM Media Sales
a funded research program, (2) establish industrial at 212-626-0686 or
collaborations, (3) teach undergraduate/graduate
[email protected]
courses, and (4) have published promising scholar-
ly work in the field and (5) contribute to our campus

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 117

 Check out the acmqueue app
FREE TO ACM MEMBERS
acmqueue is ACM’s magazine by and for practitioners,
bridging the gap between academics and practitioners
of the art of computer science. For more than a decade
acmqueue has provided unique perspectives on how
current and emerging technologies are being applied
in the field, and has evolved into an interactive,
socially networked, electronic magazine.

Broaden your knowledge with technical articles

focusing on today’s problems affecting CS in
practice, video interviews, roundtables, case studies,
and lively columns.

Keep up with this fast-paced world

on the go. Download the mobile app.

Desktop digital edition also available at queue.acm.org.

Bimonthly issues free to ACM Professional Members.
Annual subscription $19.99 for nonmembers.
 last byte

[ C ONTI N U E D FRO M P. 120] tant pro- There are a lot of potential scenarios
fessor, along with many other people we can imagine in the future where
in the field. During that era, there “Our goal was to map machines assist and augment humans’
was a huge effort to design machine out all the nouns in work, rather than replacing it.
learning models that could recog-
nize objects. We also had to find the English language, You’ve also been vocal about the need
sensible ways to benchmark their then collect ... to include a more diverse set of voices
performance. And there were some in computer science and AI research.
very good datasets, but in general pictures to depict If we believe machine values repre-
they were relatively small, with only the variability sent human values, we need to believe
one or two dozen different objects. we have fully represented humanity as
of each object, we develop and deploy our technology.
When datasets are small, it limits like an apple or So it’s important to encourage students
the type of models that can be built, of diverse backgrounds to participate
because there’s no way to train algo- a German Shepherd.” in the field. It’s also important, at this
rithms to recognize the variability even moment, to recognize the social im-
of a single object like “cat.” pact of technology is rising. The stakes
People were making progress in that are higher than ever, and we also need
era, but the field was a little bit stuck, to invite future business leaders, poli-
because the algorithms were unsatisfy- cymakers, humanists, social scientists
ing. So around 2006, my students and in the 50s and 60s, when scientists of diverse backgrounds to be techno-
I started to think about a different way found neurons are layered together logically literate, to interact with the
of approaching the object recognition and send information in a hierarchical tech world, and to bring that diverse
problem. We were thinking that in- way. In the meantime, cognitive sci- thinking into the process.
stead of designing models that over- ence has always been an essential part
fit on a small dataset, we would think of guiding AI’s quest for different kind Can you tell me about Stanford’s new
about very large-scale data, like mil- of tasks. Many computer scientists AI4All program for high school stu-
lions and millions of objects, and that were inspired to work on object recog- dents, which grew out of the earlier
would drive machine learning models nition, for example, because of the Stanford Artificial Intelligence Labo-
in a whole different direction. work cognitive scientists had done. ratory’s Outreach Summer Program
(SAILORS)?
So you started working on ImageNet, One of your current interdisciplinary AI4All aims to increase diversity
which seemed crazy at the time. collaborations is a neural network that in the field of artificial intelligence
Our goal was to map out all the implements curiosity-driven learning. by targeting students from a range of
nouns in the English language, then Human babies learn by explor- financial and cultural backgrounds.
collect hundreds of thousands of pic- ing the world. We are trying to create It’s a community we feel very proud of
tures to depict the variability of each algorithms that bear those kinds of and are very proud to support. One of
object, like an apple or a German features—where computers go where our earliest SAILORS alumna, a high
Shepherd. We ended up downloading they go out of curiosity rather than be- school student named Amy Jin, con-
and sifting through at least a billion ing trained on traditional tasks like la- tinued working in my lab on videos for
pictures or more, and we eventually beled images. surgical training. Then, while still in
put together ImageNet though crowd- high school, she authored a research
sourcing. That dataset was 15 million You have spoken before about the need paper with my team that was selected
images and 22,000 object categories. to think about AI from a humanistic by the 2017 Machine Learning for
and not just a technical perspective, Health Workshop’s Neural Informa-
In your research at Stanford’s Vision and you just helped launch Stanford’s tion Processing Systems (NIPS) confer-
and Learning Lab, you work closely not Human-Centered AI Initiative (HAI). ence, one of the best-respected events
just with technologists, but also with Can you talk about your goals? in the field. What’s more, out of 150
neuroscientists. Can you tell me a bit We want to create an institute that papers, she won the award for best pa-
about how that collaboration works? works on technologies to enhance hu- per. We also have students who started
Fundamentally, AI is a technical man capabilities. In the case of robot- robotics labs at their schools and hold
field. Its ultimate goal is to enable ma- ics, machines can do things humans girl-centered hackathons. Many of
chine intelligence. But because human cannot. Machines can go to dangerous them are focusing on applications that
intelligence is so closely related to this places. They can dive deeper in wa- put AI to good social use, from optimiz-
field, it helps to have a background and ter and dismantle explosive devices. ing ambulance deployment to cancer
collaborators in neuroscience and cog- Machines also have the kind of preci- research and cyberbullying.
nitive science. Take today’s deep learn- sion and strength humans do not. But
ing revolution. The algorithms we use humans have a lot more stability and Leah Hoffmann is a technology writer based in Piermont,
NY, USA.
today in neural networks were inspired understanding, and we have an easier
by classic studies of neuroscience back time collaborating with one another. © 2019 ACM 0001-0782/19/3 $15.00

MA R C H 2 0 1 9 | VO L. 6 2 | N O. 3 | C OM M U N IC AT ION S OF T H E ACM 119

last byte

DOI:10.1145/3303853 Leah Hoffmann

Q&A
Guiding Computers,
Robots to See and Think
Fei-Fei Li, co-director of Stanford University’s Human-Centered AI Institute,
wants to create algorithms that can learn the way human babies do.
T H O U G H S TA N F O R D U N I V E R S I T Y profes-
sor Fei-Fei Li began her career during
the most recent artificial intelligence
(AI) winter, she’s responsible for one
of the insights that helped precipitate
its thaw. By creating Image-Net, a hier-
archically organized image database
with more than 15 million images, she
demonstrated the importance of rich
datasets in developing algorithms—
and launched the competition that
eventually brought widespread atten-
tion to Geoffrey Hinton, Ilya Sutskever,
and Alex Krizhevsky’s work on deep
convolutional neural networks. Today
Li, who was recently named an ACM
Fellow, directs the Stanford Artificial
Intelligence Lab and the Stanford Vi-
sion and Learning Lab, where she
works to build smart algorithms that
enable computers and robots to see
and think. Here, she talks about com-
puter vision, neuroscience, and bring- a Ph.D. in a combination of cognitive sets would help computers make better
ing more diversity to the field. neuroscience and computer vision— decisions. This prompted you to build
we didn’t call it AI at that point. ImageNet, a hierarchically organized
Your bachelor’s degree is in physics image database in which each node of
and your Ph.D. is in electrical engineer- This was during one of the so-called AI the hierarchy is depicted by hundreds
ing. What drew you to computer vision winters, when interest and investment and thousands of images.
and artificial intelligence (AI)? cooled as people realized technologies In the field of AI, there are a few im-
When I was an undergrad at Princ- had failed to live up to their hype. portant problems that everyone works
PHOTO BY LINDA A . CICERO/STA NFORD NEW S SERVICE

eton, I had a lot of academic freedom. While I was studying for my Ph.D., on; we call them ‘holy grail’ problems.
By sophomore year, I was already fasci- it was a very interesting time. Machine One of them is understanding objects,
nated by the writings of physicists from learning became a very important tool which is a building block of visual in-
the early 20th century—people like in computer vision, so I was in the gen- telligence. Humans are superbly good
Schrödinger and Einstein who, in the eration of students who got a lot of ex- at recognizing tens of thousands and
later part of their careers, all had a lot posure and training in that subject. even millions of objects, and we do it
of curiosity about life and intelligence. effortlessly on a daily basis. So I was
Then I did a couple of research projects That training helped crystallize an in- working on this problem when I was
related to neuroscience and model- sight that proved pivotal to the field of a Ph.D. student and in my early years
ing; I was hooked. I decided to pursue AI, namely that creating better data- as an assis- [C O NTINUED O N P. 119]

120 COMM UNICATIO NS O F T H E ACM | M A R C H 201 9 | VO L . 62 | NO. 3

 Introducing ACM Digital Threats:
Research and Practice

A new journal in digital security from

ACM bridging the gap between academic
research and industry practice

Now Accepting Submissions

ACM Digital Threats: Research and Practice

(DTRAP) is a peer-reviewed journal that targets
the prevention, identification, mitigation, and
elimination of digital threats. DTRAP promotes the
foundational development of scientific rigor in digital
security by bridging the gap between academic research and
industry practice.

The journal welcomes the submission of scientifically rigorous

manuscripts that address extant digital threats, rather than laboratory
models of potential threats. To be accepted for publication, manuscripts
must demonstrate scientific rigor and present results that are reproducible.

DTRAP invites researchers and practitioners to submit manuscripts that present

scientific observations about the identification, prevention, mitigation, and elimination
of digital threats in all areas, including computer hardware, software, networks, robots,
industrial automation, firmware, digital devices, etc.

For more information and to submit your work,

please visit https://dtrap.acm.org.
The first authoritative resource on the dominant paradigm for new computer
interfaces: users input involving new media (speech, multi-touch, hand and body
gestures, facial expressions, writing) embedded in multimodal-multisensor interfaces
that often include biosignals. This second volume begins with multimodal signal
processing, architectures, and machine learning. It includes deep learning approaches
for processing multisensorial and multimodal
user data and interaction, as well as context-
sensitivity. It focuses attention on how
interfaces are most likely to advance human
performance during the next decade.