http://www.informationweek.com/story/showArticle.jhtml?articleID=8800603 By George V. Hulme Apr 23, 2003 An open-source security app may be the first victim of so-called super-DMCA laws. In the days following the July 2001 Code Red worm outbreak, which infected 359,000 systems in 14 hours, software developer Tom Liston started work on an application that would turn the tables on worms. He created LaBrea, which essentially acts like a digital tar pit, trapping hackers and worms, forcing hackers to break off attacks, and preventing worms from moving on to other computers. The free, open-source application has been heralded in security circles and nominated for awards as a unique weapon. It's also been pulled from Lipton's Hackbusters.net site by its author. He yanked it April 15 when the Illinois resident learned that a 4-month-old state law (Compiled Statutes 720 ILCS 5) makes it illegal to create a device capable of disrupting a communication service without the express authorization of the communication service provider. The law also makes it a crime to conceal the existence, origin, or destination of any communication from a service provider or any lawful party. Technically, LaBrea disrupts communications and conceals the true origin of network communications. So Liston pulled LaBrea rather than risk prosecution for what he believes is, at best, a vaguely worded piece of legislation. Some software security experts, academics, and consumer-electronics-industry representatives say such legislation will curb legitimate research and speech. They refer to the state rules as "super-DMCA" laws because they claim the laws tend to be more restrictive than the federal Digital Millennial Copyright Act of 1998. The DMCA itself seeks to prohibit any hardware or software that can circumvent copy-protection schemes for digital media, such as E-books, movies, and music. Intellectual-property-rights advocates, including entertainment conglomerates, say those worries are overstated. So-called super-DMCA laws that are proliferating among the states, they say, are intended only to prevent people from pirating content. "These laws are about theft. It's that simple," says Vans Stevenson, senior VP of state legislative affairs at the Motion Picture Association of America. Stevenson says the laws are in no way intended to thwart legitimate security devices. "No one is going to go to jail for using a firewall or VPN," he says. It's safe to say, however, that the MPAA would like to see people who right now are pirating copyrighted content do some serious jail time. It's probable that Liston won't be proved paranoid or prudent until the matter goes to court, but he doesn't want to be the precedent setter. The Illinois law has teeth. Violations involving nine or fewer unlawful communication devices (which could be interpreted to mean software or a computer carrying offending software) are treated as misdemeanors. Violations involving 10 or more devices are Class 4 felonies. If the violation involves 50 or more devices, the penalty can reach five years' imprisonment. Civil action can also be brought against violators, with damages ranging from $250 to $10,000 for each unlawful communication device. "The problem for me is that LaBrea is an open-source application and is, essentially, a labor of love, not profit," Liston says. "Hiring a lawyer to tell me whether I can legally give away LaBrea without violating the super-DMCA provisions of Illinois state law just seems wrong." Liston says security researchers and academics have been warned off some actions with implied threats to press charges. Examples bolstering that claim include: * A team of security researchers from Princeton University, Rice University, and Xerox in April 2001 decided not to publicly present research that it had completed about circumventing watermark techniques for digital music. The research was the result of a challenge issued by the Secure Digital Music Initiative, a consortium of companies trying to create open protection specifications. The group tried to block full disclosure of the research, saying the federal DMCA might be applied if it were disclosed. * In August, Hewlett-Packard sent a memo citing the DMCA to a security research firm, Secure Network Operations Inc. (better known as SnoSoft), threatening legal action after the group published code that exposed a serious hole in HP's Tru64 Unix operating system. HP ultimately took no legal action. * Programmers and researchers from countries such as Britain and Russia have refused to come to the United States for fear their security-related research--legal in their nations--could land them in prison here. So far, according to the digital-rights activist group Electronic Frontier Foundation, super-DMCA laws have been passed in Colorado, Delaware, Illinois, Michigan, Oregon, Pennsylvania, and Wyoming. Similar bills are pending in Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas. Intellectual-property attorney Fred von Lohmann with the foundation says that ISPs, cable companies, and digital-entertainment companies could use these state laws to restrict what type of devices can be connected to the Internet and could potentially ban tools widely used to protect the relative anonymity and security of the Internet. "These state bills are very harmful to civil liberties and likely would be found unconstitutional if challenged," says intellectual-property lawyer Robin Gross, who's also executive director of IP Justice, an international civil-liberties organization. "Many everyday activities such as using a firewall to block intruders from your computers, surfing the Web using a service that prevents advertisers from tracking you, or using encrypted E-mail services to protect your personal privacy would all be illegal under the MPAA's model law" that it's recommending to states, she says. As a result of such criticisms, the MPAA's Stevenson has said, the association will suggest that states insert "intent to defraud" wording into legislation being considered. A defraud qualifier wouldn't matter to Liston. "I believe, based on my reading of the Illinois statutes, that continuing to distribute LaBrea from my site would place me in violation of the law," he says. Before he'd make it available on Hackbusters again, Liston says, he'd need to see the law rewritten, or "better yet, repealed." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 05:00:12 PDT