Archives for February 2003

A new anti-terrorism bill criminalizes some uses of encryption:

Sec. 2801. Unlawful use of encryption
(a) Any person who, during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony –
(1) in the case of a first offense under this section, shall be imprisoned not more than 5 years, fined under this title, or both; and (2) in the case of a second or subsequent offense under this section, shall be imprisoned not more than 10 years, fined under this title, or both.
(b) The terms ‘encrypt’ and ‘encryption’ refer to the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.

Declan McCullagh at news.com is alarmed, but Orin Kerr at The Volokh Conspiracy says this provision is “all bark and no bite.”

As far as I know, nobody has remarked on a strange aspect of the proposal: it criminalizes all forms of encryption, even those that do not conceal information. Encryption is used to conceal information, but it is also used to ensure the integrity or authenticity of information by providing a way to detect tampering with information. So if I send you an email message, I can use crypto to keep the message secret from eavesdroppers, or to give you a way to verify that the message really came from me, or both. The proposal would criminalize all of these possibilities – note the definition of “encryption” as including data scrambling “”to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering … information.”

I can understand the public policy argument for criminalizing the use of crypto to conceal evidence of a crime. (There are also strong public policy arguments against doing this, but that’s another topic.) But where is the public policy argument for criminalizing other uses of crypto? If a criminal puts his digital signature on an incriminating message, or if he uses crypto to ensure the integrity of his incriminating records, where’s the harm?

The Computer and Communications Industry Association, a trade group, has filed a lengthy antitrust complaint against Microsoft with European authorities. The complaint centers on allegedly anticompetitive aspects of Windows XP. Here is an AP story; here is CCIA’s summary of the complaint.

According to CCIA, they are accusing Microsoft of:

Bundling multiple Microsoft products with the Windows [XP] operating system;
Biasing the user interface and operation of Windows XP and the products bundled with Windows to advantage Microsoft’s own software and services;
Imposing Microsoft proprietary technologies, protocols, and formats;
Employing abusive licensing and other exclusionary practices vis-a-vis PC OEMs to foreclose the PC OEM distribution channel to competing products; and
Refusing to disclose the document formats for the programs in Microsoft’s Office suite of personal productivity applications.

Brian McWilliams, who perpetrated the terrorist website hoax I wrote about yesterday, has now posted his response, including a quasi-apology.

[Link credit: Politech]

This one leaves me speechless.

According to a fascinating story over at ComputerWorld, tech journalist Brian McWilliams has admitted to running a hoax website that claimed to be the site of a scary real-world terrorist group. He even arranged to have the fake site “defaced” by (fictitious) anti-terrorist hackers, and he created a hoax message in which the group claimed “credit” for the recent Slammer/Sapphire worm attack. McWilliams claims to have gotten several emails from people wanting to join the terrorist group, and to have passed some of them on to the FBI.

[Link credit: Declan McCullagh’s Politech.]