An independent coder says a new service-theft law could make one of his apps illegal.
In the days following the July 2001 Code Red worm outbreak, which infected 359,000 systems in 14 hours, software developer Tom Liston started work on an application that would turn the tables on worms. He created LaBrea, which essentially acts like a digital tar pit, trapping hackers and worms, forcing hackers to break off attacks, and preventing worms from moving on to other computers.
The free, open-source application has been heralded in security circles and nominated for awards as a unique weapon. It's also been pulled from Lipton's Hackbusters.net site by its author. He yanked it April 15 when the Illinois resident learned that a 4-month-old state law (Compiled Statutes 720 ILCS 5) makes it illegal to create a device capable of disrupting a communication service without the express authorization of the communication service provider.
The law also makes it a crime to conceal the existence, origin, or destination of any communication from a service provider or any lawful party.
Technically, LaBrea disrupts communications and conceals the true origin of network communications. So Liston pulled LaBrea rather than risk prosecution for what he believes is, at best, a vaguely worded piece of legislation.
Some software security experts, academics, and consumer-electronics-industry representatives say such legislation will curb legitimate research and speech. They refer to the state rules as "super-DMCA" laws because they claim the laws tend to be more restrictive than the federal Digital Millennial Copyright Act of 1998.
The DMCA itself seeks to prohibit any hardware or software that can circumvent copy-protection schemes for digital media, such as E-books, movies, and music.
Intellectual-property-rights advocates, including entertainment conglomerates, say those worries are overstated. So-called super-DMCA laws that are proliferating among the states, they say, are intended only to prevent people from pirating services. The legislation under contention is largely based on model legislation suggested by the Motion Picture Association of America. It's designed to bring laws that protect against cable and pay-per-view movie theft up to date with the Internet era, explains Vans Stevenson, senior VP of state legislative affairs at the Motion Picture Association of America.
"These laws are about theft. It's that simple," Stevenson says. They are in no way intended to thwart legitimate security devices. "No one is going to go to jail for using a firewall or VPN," he says. It's safe to say, however, that the MPAA would like to see people who right now are pirating services do some serious jail time.
A group known as the Broadband and Internet Security Task Force has also lent a hand to the drafting of the model legislation. The task force is supported by cable-TV and content companies including AT&T Broadband, Buena Vista Television, Comcast Cable Communications, Cox Communications, Home Box Office, Macrovision, Showtime Networks, and Time Warner Cable.
It's probable that Liston won't be proved paranoid or prudent until the matter goes to court, but he doesn't want to be the precedent setter. The Illinois law has teeth. Violations involving nine or fewer unlawful communication devices (which could be interpreted to mean software or a computer carrying offending software) are treated as misdemeanors. Violations involving 10 or more devices are Class 4 felonies. If the violation involves 50 or more devices, the penalty can reach five years' imprisonment. Civil action can also be brought against violators, with damages ranging from $250 to $10,000 for each unlawful communication device.
"The problem for me is that LaBrea is an open-source application and is, essentially, a labor of love, not profit," Liston says. "Hiring a lawyer to tell me whether I can legally give away LaBrea without violating the super-DMCA provisions of Illinois state law just seems wrong."
Liston says security researchers and academics have been warned off some actions with implied threats to press charges. Examples bolstering that claim include:
A team of security researchers from Princeton University, Rice University, and Xerox in April 2001 decided not to publicly present research that it had completed about circumventing watermark techniques for digital music. The research was the result of a challenge issued by the Secure Digital Music Initiative, a consortium of companies trying to create open protection specifications. The group tried to block full disclosure of the research, saying the federal DMCA might be applied if it were disclosed.
In August, Hewlett-Packard sent a memo citing the DMCA to a security research firm, Secure Network Operations Inc. (better known as SnoSoft), threatening legal action after the group published code that exposed a serious hole in HP's Tru64 Unix operating system. HP ultimately took no legal action.
Programmers and researchers from countries such as Britain and Russia have refused to come to the United States for fear their security-related research--legal in their nations--could land them in prison here.
So far, according to the digital-rights activist group Electronic Frontier Foundation, super-DMCA laws have been passed in Colorado, Delaware, Illinois, Michigan, Oregon, Pennsylvania, and Wyoming. Similar bills are pending in Arkansas, Florida, Georgia, Massachusetts, Tennessee, and Texas.
Intellectual-property attorney Fred von Lohmann with the foundation says that ISPs, cable companies, and digital-entertainment companies could use these state laws to restrict what type of devices can be connected to the Internet and could potentially ban tools widely used to protect the relative anonymity and security of the Internet.
"These state bills are very harmful to civil liberties and likely would be found unconstitutional if challenged," says intellectual-property lawyer Robin Gross, who's also executive director of IP Justice, an international civil-liberties organization. "Many everyday activities such as using a firewall to block intruders from your computers, surfing the Web using a service that prevents advertisers from tracking you, or using encrypted E-mail services to protect your personal privacy would all be illegal under the MPAA's model law" that it's recommending to states, she says.
As a result of such criticisms, the MPAA's Stevenson and Geoffrey Beauchamp, counsel to the Broadband and Internet Security Task Force, have said they'll suggest that pending state legislation carry "intent to defraud" wording in an effort to clean up ambiguity.
Both say critics see wolves where none exist. "This is a natural extension of cable-theft and similar laws that have been on the books for 20 years. The intent and purpose of the proposed legislation is to stop communications-service theft," Beauchamp says. "If you access or hack into a service you have not paid for, or [you] design, develop, distribute, or manufacture a device and its primary intent is to defeat copy protection, you would be in violation," he says.
A defraud qualifier wouldn't matter to Liston. "I believe, based on my reading of the Illinois statutes, that continuing to distribute LaBrea from my site would place me in violation of the law," he says. Before he'd make it available on Hackbusters again, Liston says, he'd need to see the law rewritten, or "better yet, repealed."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.