[KLUG Advocacy] Michigan's latest legislative messup

Mike Williams advocacy@kalamazoolinux.org
Tue, 29 Apr 2003 14:30:36 -0400
Previous message: [KLUG Advocacy] Who is up for some REAL advocacy?
Next message: [KLUG Advocacy] Michigan's latest legislative messup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This is part of an email I get weekly, and this one is worth passing on 
to anyone remotely related to technology or politics.  A law this 
broadly written should never have made it on the books to be abused, but 
it has.  Time to write a letter to your Congressman or a check to the 
Electronic Frontier Foundation.  Sorry about the length, but I trimmed 
it as much as I could.

---------

April 28, 2003
Security Watch
http://mcpmag.com/security/
http://ENTmag.com


**I'm a Criminal -- and You Probably Are, Too
By Roberta Bragg

I am a criminal. I've broken the law in seven states. By the time you
read this I may have added a state or two to my list.

I'm not currently afraid that the police are going to break down my
door and drag me off to the hoosegow, but I'm certainly chilled by the
recognition that they could.

I didn't set out to break the law; nothing is farther from my
intentions, my personal moral and ethical beliefs, my background and my
lifelong work. I'm not a serial murderer. I'm not running a methlab in
my basement. I haven't gone on a cross-country rampage robbing banks,
knocking over gas stations or stealing cars. Nevertheless, I've crossed
the line.

If my next column is written from some county jail or state
penitentiary, I'll be in good company. Most of you will be there, too,
since you're breaking these laws as well.

I'm talking about the so-called "Super DMCA" bills and their cousins,
passed by Delaware, Illinois, Maryland, Michigan, Pennsylvania,
Wyoming, and Virginia. They're currently under consideration in
Arkansas, Colorado, Florida, Georgia, Massachusetts, Oregon, South
Carolina, Tennessee, and Texas. Even if you don't live in these states,
your actions may be considered to have entered their jurisdiction. What
are state borders to the Internet?

This law specifically outlaws software capable of concealing the
existence or source of any electronic communication. In essence, you
and I are now criminals because we apply sound information security
practices such as:

  - Using a firewall or NAT box to hide the original IP address of the
computer from which we're working
  - Encrypting a session between our computer and another computer in a
manner which disguises the source address
  - Using a VPN to tunnel to a corporate office
  - Deploying a honey pot or honey net
  - Using an anonymizer when browsing the Internet
  - Purchasing products which can hide IP addresses. This, of course,
includes Windows products
  - Sharing information on IT security practices with others

Heck, I'm probably breaking the law every time I communicate to you
about how to do any of these things. Cast in the light of this law I'm
probably an arch-criminal since I write and teach how to do these
things and often describe and review specific products which do so.
(Think my fears are ungrounded? A Michican Ph.D. candidate is so
concerned he's removed his research from access by U.S. citizens: see
www.securityfocus.com/news/3912 for details. How many others will now
refuse to share with us the fruits of their security research?)

I'm sure to some of you this may still seem to be quite far-fetched.
After all, the laws were designed to keep folks from stealing cable TV
and broadband Internet signals, and that quite obviously isn't our
intent. Perhaps it's paranoid of me to think that anyone would use the
law to attack legitimate security researchers, companies protecting
their information or home users who add a firewall to their desktop
computer. But the law doesn't have any language about intent. To be
fair, a revised version of the law is circulating that includes an
intent to defraud as a provision. The revision, however, doesn't define
how that will be determined. In addition, this version of the law isn't
the one now under consideration, or that has been passed.

In addition to hindering your information security efforts, and placing
you at risk of arrest, prosecution and imprisonment, The Electronic
Frontier Foundation lists the following problems with the bills:

  - Things not expressly permitted are forbidden: You can't add a
wireless access point to your DSL connection at home without the
permission of your ISP. Think they'll let you?
  - Threat to anonymity: As mentioned, it outlaws NAT, firewalls,
encryption and VPNs
  - Threat to competition and innovation: Who would produce new security
devices in the United States? This market will go elsewhere
  - Transfers law from public to private hands: The bills are sponsored
by cable providers and the like and encouraged by their friends at the
Motion Picture Association of America (MPAA). The bills add the
potential of civil liability, meaning these companies could also sue us
  - ISVs seen to be in violation can be forced to downgrade their
products, removing the offending capability. Don't look now, but
Microsoft's end-user license agreement states they can access your
machines for the purpose of providing software updates
  - The service provider can sue you; if they win, they can make you pay
their attorney fees. But if you win, you can't collect your attorney
fees from them.
  - Preliminary injunctions (cease and desist) are allowed without
providing proof of damage, harm or inadequate remedy -- the normal
requirement. In short, once accused, the courts can order you to stop
doing what you're doing. Yes, they could shut me up and I probably
couldn't tell you about it.
  - You may have to pay damages of $1,500 to $10,000 for each illegal
device, even if there's no proof any harm has occurred. Well, let's
see; if my next column explains how to configure NAT for a specific
device, and it gets delivered to all of you?guess I could be fined
roughly a half-million dollars
  - Chilling affect on research. Need I say more?

The law as it stands is bad, and we all need to speak up. Find out the
status of the law in your state and the states in which you might be
accused of breaking it. Visit the sites listed below to become informed
and find specific courses of action you might take. At least write your
legislators and start a dialog with them about the meaning of this
bill. Circulate information about impending legislative votes on bills
in consideration; imagine the impact we all e-mailed these legislators
on the eve of their decision. Start educating everyone about how
information security works and why hiding the source of a communication
protects everyone. And above all, *do not* stop implementing and using
sound security practices. If that makes us all criminals, then so be
it; they can't arrest us all.

  - Status of current and impending legislation, interpretation of the
law: Http://www.freedom-to-tinker.com/doc/2003/mpaa_3apr.rtf

  - Status of state laws: Http://www.freedom-to-
tinker.com/superdmca.html

  - Electronic Frontier Foundation discussion and links:
Http://www.eff.org/IP/DMCA/states/200304_sdmca_eff_analysis.php

  - Information on hearings: Http://www.digitalspeech.org/

-- Roberta Bragg, MCSE, CISSP and contributing editor for MCP Magazine,
runs her company, Have Computer Will Travel Inc., out of a notebook
carrying case. She's a frequent speaker and trainer for MCP Magazine's
TechMentor conference and seminar series. She's an independent
consultant specializing in security, operating systems and databases.
Her newest book is the CISSP Training Guide (Que Publishing). You can
reach her at roberta.bragg@mcpmag.com.
Previous message: [KLUG Advocacy] Who is up for some REAL advocacy?
Next message: [KLUG Advocacy] Michigan's latest legislative messup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]