March 28, 2024

Another Egregious Super-DMCA Provision

I have written before about the danger posed by the Super-DMCA’s ban on concealing the origin or destination of communication. I want to turn your attention now to a much more egregious provision of these bills – the ban on devices and information.

Here is the relevant portion of the MPAA’s model legislative language:

Any person commits an offense if he knowingly:

(4) possesses, uses, prepares, distributes, sells, gives, transfers or offers, promotes or advertises for sale, use or distribution any:

(ii) material, including hardware, cables, tools, data, computer software or other information or equipment … for use in the manufacture, assembly or development of an unlawful access device; …

The term at the end, “manufacture, assembly or development of an unlawful access device”, is defined this way:

To […] or modify, alter, program or reprogram any instrument, device, machine, equipment, technology or software so that it is capable of defeating or circumventing any technology, device or software used by the provider, owner or licensee of a communication service, or of any data, audio or video programs or transmissions, to protect any such communication, data, audio or video services, programs or transmissions from unauthorized receipt, interception, acquisition, access, decryption, disclosure, communication, transmission or re-transmission, or to knowingly assist others in those activities.

Note the breadth of this language – to be in violation, the device need only be capable of circumventing a measure that somebody uses to protect their data from unauthorized receipt, interception, acquisition, access, decryption, disclosure, communication, transmission or re-transmission.

This is stunning in its overbreadth. Any device that is even capable of illegal uses is banned, and even information that could be used to build such a device is banned.

This would appear to make most computer security research illegal, since it would be illegal to even talk about how somebody might to try defeat a security measure. As a computer security researcher, I consider that a big problem. In this case, though, that problem is small potatoes compared to the greater harm this part of the bill would do.

As a thought experiment, let’s try applying this approach to the regulation of non-technological goods. Imagine that it was illegal to make, use, or distribute “material … or information” that was “capable of” being used in a violent attack on another person.

In such a world, virtually all knives would be illegal. Ditto for screwdrivers or any other pointy objects. Hammers are out, too, along with all other blunt, heavy objects, including even rocks. Vehicles are probably out too, since they are capable of being used to attack someone. I could go on, but you get the picture.

Even information about how to make or use any of these dangerous devices would be banned.

Last week I asked my class if they could think of any technological tools that are capable of only illegal uses, or of only legal uses. They were hard pressed to think of any. That’s the nature of tools – they’re designed to be flexible and to admit a wide variety of uses. To ban every tool that might possibly be used illegally, and to ban even information about such tools, is simply madness.