August 25, 2016

Archives for March 2003


Super-DMCA Already Law in Several States

Louis Trager at the Washington Internet Daily reports that Super-DMCA bills have already passed in several states:

The low-profile lobbying effort was under way about 2 years before it burst into the open in recent days. Legislation supported by MPAA was enacted in [Delaware] and [Maryland] in 2001 and in [Illinois], [Michigan] and [Virginia] last year, MPAA Senior VP Vans Stevenson said…. A different version was enacted in [Pennsylvania] in 2000, Stevenson said.

The story further quotes Stevenson as saying that bills are “pending” in Arkansas, Colorado, Florida, Georgia, Massachusetts, South Carolina and Texas. Others are watching bills in Oregon and Tennessee, Trager reports.

I have updated my Super-DMCA status page to reflect this new information.


Intent and the Super-DMCAs

Most of the reponses to my super-DMCA postings have been supportive, but a few people have disagreed. Some of the disagreements say, essentially, that there is no problem, because the bills are intended as anti-piracy measures, to prevent people from using cable, phone, or wireless service without paying.

(Let me put any doubts to rest by saying right now that people should be willing to pay for the service they receive. Jacking into the cable-TV network without paying for it is wrong, and I am happy to see reasonable punishments imposed on those who do it. If that were all these bills did, I wouldn’t object.)

In tech policy debates, we often see arguments about intentions crowding out discussion of the concrete effects of an action. It’s easy to see why intentions talk can be attractive for some participants. For one thing, it’s a game the whole family can play, regardless of their level of technical sophistication. There’s none of that boring, geeky talk about how networks operate and why encryption is used this way or that. Your arguments fit on a bumper sticker, and they’re fully reusable.

The other benefit of the good-intentions argument is that it’s usually true. In my limited engagement with the political process, it has seemed to me that everybody sees themselves as working for the public good, though they may naturally see the public good through the lens of their own self-interest. But if good intentions are so common, then their presence is unremarkable and doesn’t really distinguish you from the other side of the debate. Still, intentions talk is surprisingly common.

All of this would be harmless if politics were just a sequence of symbolic gestures. But of course we know that it isn’t. Citizens have to live with the consequences of well-intentioned but poorly drafted laws. We saw it with the DMCA, and we’ll see it again. The focus belongs on what these bills actually say, and what they would actually do.


NYT on Concealing Origin of Communications

Thursday’s New York Times ran an article by Thomas J. Fitzgerald about how to protect your privacy on-line. Here is an excerpt:

The tools and techniques that can be used to strengthen online privacy range from ways of masking your computer’s identity as you surf the Web to software for managing cookies to services that disguise the origin of e-mail messages.

Sounds like the Super-DMCA’s ban on concealing the origin of communications might be a bad idea!


Super-DMCA Page Available

I have created a page at with information about the state Super-DMCA bills and laws. I will update the page with status information as it comes in, and later with information about efforts to help educate lawmakers about this issue.


Super-DMCA Already Passed in Michigan

Alert reader Larry Blunk reports that the state of Michigan has already passed a set of super-DMCA laws. They will take effect on March 31. Here is the text of the three new laws: 1, 2, 3.

The ban on concealing the origin or destination of communications, whose drawbacks I had pointed out previously, is in the second of these laws. Other problematic aspects of the super-DMCA legislation are in the other laws.


Intent Requirements in the State Super-DMCA Bills

Several readers point out that the state super-DMCA bills contain language requiring an “intent to harm or defraud a communications service”, and they suggest that such a requirement makes the bills less harmful than I had said yesterday.

I disagree, for two reasons.

First, although some of the offenses created by the bills do require an “intent to harm or defraud”, the part of the bills to which I objected yesterday does not contain such a requirement. All that is required in the way of intent is an intent to conceal the origin or destination of a communication – and that intent would be inferred, presumably, if somebody took an action that had the predictable effect of concealing origin or destination.

Second, even if such language did apply to the part of the bills under discussion, I would still be worried (though less so). “Intent to defraud” doesn’t bother me, but “intent to harm” does, given the danger that “harm” could be construed broadly. In a competitive marketplace, people often take legitimate actions that harm the interests of one competitor. If I switch my lunch beverage from Pepsi to Coke, that action could be said to harm Pepsi; but surely my intent to switch beverages does not belong in the same category as an attempt to defraud Pepsi.


MPAA Lobbying for State Super-DMCA Bills

The MPAA has reportedly been lobbying in favor of the overreaching state super-DMCA bills I discussed yesterday. Apparently, the MPAA has been circulating this one-pager in support of the bills.

The one-pager refers to “proposed model state legislation”, which explains the similarities between the various states’ bills. But it doesn’t say who is circulating the model legislative language. Anybody care to guess?

As a professor, I couldn’t help but notice that I had seen documents like this before. The characteristics are familiar: the large space-filling font; the overlong introduction repeating obvious generalities (e.g., copyright infringement is bad); the circular arguments (e.g., the need “to make illegal the manufacture and use of unlawful … devices”); and the lack of any specific reference to the text supposedly under discussion. It looks suspiciously like an essay turned in by a student who didn’t do the reading.


Use a Firewall, Go to Jail

The states of Massachusetts and Texas are preparing to consider bills that apparently are intended to extend the national Digital Millennium Copyright Act. (TX bill; MA bill) The bills are obviously related to each other somehow, since they are textually similar.

Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that “conceal from a communication service provider … the existence or place of origin or destination of any communication”. Your ISP is a communication service provider, so anything that concealed the origin or destination of any communication from your ISP would be illegal – with no exceptions.

If you send or receive your email via an encrypted connection, you’re in violation, because the “To” and “From” lines of the emails are concealed from your ISP by encryption. (The encryption conceals the destinations of outgoing messages, and the sources of incoming messages.)

Worse yet, Network Address Translation (NAT), a technology widely used for enterprise security, operates by translating the “from” and “to” fields of Internet packets, thereby concealing the source or destination of each packet, and hence violating these bills. Most security “firewalls” use NAT, so if you use a firewall, you’re in violation.

If you have a home DSL router, or if you use the “Internet Connection Sharing” feature of your favorite operating system product, you’re in violation because these connection sharing technologies use NAT. Most operating system products (including every version of Windows introduced in the last five years, and virtually all versions of Linux) would also apparently be banned, because they support connection sharing via NAT.

And this is just one example of the problems with these bills. Yikes.

UPDATE (6:35 PM): It’s worse than I thought. Similar bills are on the table in South Carolina, Florida, Georgia, Alaska, Tennessee, and Colorado.

UPDATE (March 28, 9:00 AM): Clarified the paragraph above about encrypted email, to eliminate an ambiguity.

UPDATE: I now have a page with information about all of these bills, including the current status in each state.


Finkelstein Replies on ARDG and the Press

Seth Finkelstein replies to my previous posting on companies’ press policies by suggesting that companies are rational to keep their engineers away from the press, because of concerns about being unfairly misquoted.

I can see his point, by I think hatchet-job stories are pretty rare in the respectable media, and I also think that most readers recognize such stories and discount them. Reporters resent being manipulated and are more likely to seize on a misstatement if it is the only interesting thing you say. If you want them to write about substance, you have to talk to them about substance.

Seth’s example, the “Al Gore invented the Internet” story, is a good illustration. Gore’s organization was trying to manipulate the press, as all political campaigns do. Gore was available to the press mainly in highly scripted situations, so when he went off script and said something he shouldn’t have said, it was newsworthy.

(And though too much was made of Gore’s statement, he did say, “I took the initiative in creating the Internet”, which just isn’t true. Yes, Gore deserves credit for promoting the Internet before almost anyone else on Capitol Hill had even heard of it; and yes, he did take the initiative in funding the Internet at a crucial stage of its build-out. But there is a big difference between creating something and merely paying for a stage of its construction.)


NRC Report on Authentication Technology and Privacy

The authoritative National Research Council has issued an important new report entitled “Who Goes There?: Authentication Through the Lens of Privacy.” Like all NRC reports, this is an in-depth document reflecting the consensus of an impressive panel of experts.

Often people think of authorization (that is, ensuring that only authorized people get access to a resource) is antithetical to privacy, but this need not be true. One of the report’s findings is this:

Authorization does not always require individual authentication or identification, but mosts existing authorization systems perform one of these functions anyway. Similarly, a requirement for authentication does not always imply that accountability is needed, but many authentication systems generate and store information as though it were.

There are many ways to use authentication in designing systems, and a careful design can reduce the privacy cost that must be paid to achieve a given level of security. There is not a single “knob” that we can turn to trade off security against privacy, but a complex landscape in which we can hope to get more of both, if we choose wisely.