September 28, 2023

Archives for March 2003

Intent Requirements in the State Super-DMCA Bills

Several readers point out that the state super-DMCA bills contain language requiring an “intent to harm or defraud a communications service”, and they suggest that such a requirement makes the bills less harmful than I had said yesterday.

I disagree, for two reasons.

First, although some of the offenses created by the bills do require an “intent to harm or defraud”, the part of the bills to which I objected yesterday does not contain such a requirement. All that is required in the way of intent is an intent to conceal the origin or destination of a communication – and that intent would be inferred, presumably, if somebody took an action that had the predictable effect of concealing origin or destination.

Second, even if such language did apply to the part of the bills under discussion, I would still be worried (though less so). “Intent to defraud” doesn’t bother me, but “intent to harm” does, given the danger that “harm” could be construed broadly. In a competitive marketplace, people often take legitimate actions that harm the interests of one competitor. If I switch my lunch beverage from Pepsi to Coke, that action could be said to harm Pepsi; but surely my intent to switch beverages does not belong in the same category as an attempt to defraud Pepsi.

MPAA Lobbying for State Super-DMCA Bills

The MPAA has reportedly been lobbying in favor of the overreaching state super-DMCA bills I discussed yesterday. Apparently, the MPAA has been circulating this one-pager in support of the bills.

The one-pager refers to “proposed model state legislation”, which explains the similarities between the various states’ bills. But it doesn’t say who is circulating the model legislative language. Anybody care to guess?

As a professor, I couldn’t help but notice that I had seen documents like this before. The characteristics are familiar: the large space-filling font; the overlong introduction repeating obvious generalities (e.g., copyright infringement is bad); the circular arguments (e.g., the need “to make illegal the manufacture and use of unlawful … devices”); and the lack of any specific reference to the text supposedly under discussion. It looks suspiciously like an essay turned in by a student who didn’t do the reading.

Use a Firewall, Go to Jail

The states of Massachusetts and Texas are preparing to consider bills that apparently are intended to extend the national Digital Millennium Copyright Act. (TX bill; MA bill) The bills are obviously related to each other somehow, since they are textually similar.

Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that “conceal from a communication service provider … the existence or place of origin or destination of any communication”. Your ISP is a communication service provider, so anything that concealed the origin or destination of any communication from your ISP would be illegal – with no exceptions.

If you send or receive your email via an encrypted connection, you’re in violation, because the “To” and “From” lines of the emails are concealed from your ISP by encryption. (The encryption conceals the destinations of outgoing messages, and the sources of incoming messages.)

Worse yet, Network Address Translation (NAT), a technology widely used for enterprise security, operates by translating the “from” and “to” fields of Internet packets, thereby concealing the source or destination of each packet, and hence violating these bills. Most security “firewalls” use NAT, so if you use a firewall, you’re in violation.

If you have a home DSL router, or if you use the “Internet Connection Sharing” feature of your favorite operating system product, you’re in violation because these connection sharing technologies use NAT. Most operating system products (including every version of Windows introduced in the last five years, and virtually all versions of Linux) would also apparently be banned, because they support connection sharing via NAT.

And this is just one example of the problems with these bills. Yikes.

UPDATE (6:35 PM): It’s worse than I thought. Similar bills are on the table in South Carolina, Florida, Georgia, Alaska, Tennessee, and Colorado.

UPDATE (March 28, 9:00 AM): Clarified the paragraph above about encrypted email, to eliminate an ambiguity.

UPDATE: I now have a page with information about all of these bills, including the current status in each state.

Finkelstein Replies on ARDG and the Press

Seth Finkelstein replies to my previous posting on companies’ press policies by suggesting that companies are rational to keep their engineers away from the press, because of concerns about being unfairly misquoted.

I can see his point, by I think hatchet-job stories are pretty rare in the respectable media, and I also think that most readers recognize such stories and discount them. Reporters resent being manipulated and are more likely to seize on a misstatement if it is the only interesting thing you say. If you want them to write about substance, you have to talk to them about substance.

Seth’s example, the “Al Gore invented the Internet” story, is a good illustration. Gore’s organization was trying to manipulate the press, as all political campaigns do. Gore was available to the press mainly in highly scripted situations, so when he went off script and said something he shouldn’t have said, it was newsworthy.

(And though too much was made of Gore’s statement, he did say, “I took the initiative in creating the Internet”, which just isn’t true. Yes, Gore deserves credit for promoting the Internet before almost anyone else on Capitol Hill had even heard of it; and yes, he did take the initiative in funding the Internet at a crucial stage of its build-out. But there is a big difference between creating something and merely paying for a stage of its construction.)

NRC Report on Authentication Technology and Privacy

The authoritative National Research Council has issued an important new report entitled “Who Goes There?: Authentication Through the Lens of Privacy.” Like all NRC reports, this is an in-depth document reflecting the consensus of an impressive panel of experts.

Often people think of authorization (that is, ensuring that only authorized people get access to a resource) is antithetical to privacy, but this need not be true. One of the report’s findings is this:

Authorization does not always require individual authentication or identification, but mosts existing authorization systems perform one of these functions anyway. Similarly, a requirement for authentication does not always imply that accountability is needed, but many authentication systems generate and store information as though it were.

There are many ways to use authentication in designing systems, and a careful design can reduce the privacy cost that must be paid to achieve a given level of security. There is not a single “knob” that we can turn to trade off security against privacy, but a complex landscape in which we can hope to get more of both, if we choose wisely.