'Super-DMCA' Fears Suppress Security Research (Penalizing Our Brightest Minds Alert)

'Super-DMCA' fears suppress security research By Kevin Poulsen, SecurityFocus Posted: 14/04/2003 at 10:16 GMT

Steganography and honeypot expert Niels Provos may risk four years in prison by completing his Ph.D., writes Kevin Poulsen, of SecurityFocus.

A University of Michigan graduate student noted for his research into steganography and honeypots -- techniques for concealing messages and detecting hackers, respectively -- says he's been forced to move his research papers and software offshore and prohibit U.S. residents from accessing it, in response to a controversial new state law that makes it a felony to possess software capable of concealing the existence or source of any electronic communication.

"Concealing the existence of communication is my dissertation, and concealing the source of communication takes place in honey nets," says Niels Provos. "So I decided to be proactive about it and move it to another location, and for now just deny anybody from the states to download any of my software."

At issue are the so-called "Super-DMCA" bills under consideration in seven states, which have already become law in six others. Similar in some ways to the federal Digital Millennium Copyright Act -- which made it a crime to distribute software that cracks copy protection schemes -- the state measures appear to target those who would steal pay-per-view cable television shows or defraud broadband providers. Though the bills vary in language and scope, they are patterned after model legislation pushed by the Motion Picture Association of America along with the Broadband and Internet Security Taskforce, the latter a consortium of cable companies and premium channels.

The Super DMCA began quietly passing state legislatures two years ago, but did not come to public attention until last month, when the broad language in some versions of the bill immediately sparked anger from technologists and public interest groups.

The , which took effect on March 31st, typifies the legislation: Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison.

Taken literally, the law is bad news for businesses like Anonymizer.com and Hushmail -- both services cater to privacy-conscious Internet users determined to conceal their place of origin from marketers, or to communicate anonymously. Critics say it would also ban firewalls and NAT boxes, dealing a blow to Internet security. "This statute essentially criminalizes the mere possession of technology," says Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation, which opposes the legislation.

Provos says the Michigan law also makes most of his academic career a crime. Provos is an expert on steganography, the science of concealing secret messages in seemingly innocuous content. He's developed software to detect some types of stego in image files, but he's also worked the other side, developing improved methods for preventing a message from being detected. He also wrote "HoneyD," a free program that simulates a network of computers, with the aim of luring in and detecting hackers. The deceptive software arguably conceals the source of a communication.

"It's very difficult, reading the law, it makes basically everything that I do illegal," says Provos.

So last week Provos took his research papers and software off of his home page, and relocated them to a server in the Netherlands. To play it safe, he also erected a barrier of sorts to U.S. visitors: to access the new page, a user has to answer three questions affirming that they are not in the United States, or another country with similar laws. He hopes it's enough to give him legal cover. "I'm not really sure how this works. If I give access to people in the U.S. and I live in Michigan, could that be construed as a problem?," he says. "And there are a lot of other states that have passed their own laws."

Provos says the offshore site is a temporary measure while he awaits an opinion from the University of Michigan's legal department. Meanwhile, he's urging colleagues in the security community to contact his state's legislators and fill them in on the unintended consequences of the Super-DMCA. But he insists the whole thing isn't a protest or a publicity stunt. Though nobody has yet been prosecuted under the law, Provos, a German national, says his concern is genuine. "As a foreigner I have to be very careful... I'd rather follow the law to the letter than be negatively surprised later."

The EFF's von Lohmann says he's worried that Provos may not have gone far enough. "If he's still in Michigan... Sure, he has a questionnaire, but maybe that's not enough," he says. "I don't know. This is all untested territory."

In response to the early criticism, the industry groups pushing for the law released a new version of their model legislation on April 1st that, among other things, adds an "intent to defraud" to the language -- significantly narrowing the scope of the law. "That doesn't really fix all the problems because it's unclear to me what intent to defraud means in this context," says von Lohmann. In any event, unless lawmakers revisit their efforts, the new draft comes too late for Michigan residents, and those in other states where an old version of the bill has already become the law of the land.

The silliness of DMCA harkens back to the time when cryptography was officially classified as a "munition" by the State Department. All this DMCA nonsense serves to do is stifle legitimate research that would ultimately benefit the American public. Enough is enough already!

-Jay

Strong cryptography really is a powerful munition, and the U.S. would certainly be more secure if we'd been able to restrict its export abroad, and we were acting on sound legal and strategic grounds to try to do so. Of course, technology made those efforts futile, and we're less safe as a result.

I respectfully disagree. It's because of the unreasonable restrictions on cryptography that the U.S. lost its competitive edge on the free market in which other nations were not thus encumbered by such silly laws.

While the rest of the world was able to offer 128-bit (and higher) encryption with their commercial products, U.S. firms could only offer 40-bit encryption. We were -- quite literally -- the laughingstock of the security and technology world because of that.

As many (myself included) are fond of saying, "If guns are outlawed, only outlaws will have guns."

The same is true for strong cryptography.

-Jay

This guy should go directly to the DOD or someone in DC to bypass the system. They are looking for people like this.

This is true, but an exception just for him would still leave the rest of us in the lurch. A lot of great security researchers have had to (at least publicly) abandon their work or move it overseas because of the DMCA.

I'm reminded of the old story called "The Emperor's New Clothes." Under the DMCA, the boy who points out that the Emperor is naked would be the one who gets punished, not the "manufacturer" of the illusory raiment.

-Jay

You point out a latent overgeneralization in my argument -- we were (as you quite rightly say) foolish in the extreme to prevent the export of encryption which was less than state of the art -- US businesses suffered and no enemies were even slightly inconvenienced. I do think it was, and remains, proper for the US to have reasonable export controls upon any potentially dangerous technology when that technology IS the state of the art and cannot be obtained from other sources.

..."U.S. lost its competitive edge on the free market..."

And now we have HIPAA for the PROTECTION of consumer medical data that requires the use of this "MUNITIONS" technology that was stymied by the arcane laws of the past and present.

Will the US Government put a policeman at every house, a wiretap on every phone an AI bot on every internet connection and take away from the people the very means that they could use to protect and defend themselves? No, that is a ridiculous approach and there are too many of us in and out of government service that will not let this path continue.

Write your congressperson and let's fix these laws now.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.