November 21, 2024

Response to Declan's DMCA Piece

Declan McCullagh misses the boat at least twice in his August 19th
column concerning the potential impact on computer science research of
the Digital Millennium Copyright Act [“Debunking DMCA myths,” c|net
News.Com, http://news.com.com/2010-12-950229.html].

First, the DMCA has two arms: one that prohibits devices that circumvent
copy protection, and one that prohibits acts of circumvention. The
research conducted by Professor Felten and his colleagues took place
prior to the time when the “acts of circumvention” provisions became
effective in October 2000. Thus, these provisions did not apply to that
research. However, there is little doubt in the legal community that
this research, and similar research, would be illegal under the “acts of
circumvention” provisions. Declan fails to recognize this arm of the
DMCA in his column.

Second, the chilling effect of the DMCA cannot be described by the
probability of conviction alone. One must also consider the magnitude
of the exposure if convicted. Because the “acts of circumvention”
provisions of the DMCA were not in effect at the time of the Felten
research, the probability of an adverse judgment was indeed small.
However, a group of highly respected legal consultants told Felten’s
employer that the cost of an adverse judgment could be truly enormous.
The combination of these two factors had a very substantial chilling
effect. (It is also the case that two individuals were likely to lose
their jobs if the paper was published. This illustrates the human
dimension of the chilling effect.)

Other issues, on which we shall not elaborate, include the
anti-dissemination provisions of the DMCA, and the civil (in addition to
criminal) provisions.

It is disruptive to the progress of research when scientists must first
consult with attorneys to determine if previously legitimate research
might be in violation of the DMCA. We are happy to agree with Declan
that “The DMCA is … an egregious law … and should be unceremoniously
tossed out by the courts.”

Edward W. Felten
Princeton University

Edward D. Lazowska
University of Washington; Co-chair, Computing Research Association
Government Affairs Committee

Barbara Simons
Co-chair, ACM US Public Policy Committee

Keystone SpamKops (cont. 3)

Several people have asked me to expand upon a semi-cryptic comment I made in a previous post, saying that SpamCop’s system allows denial-of-service attacks. What I mean is that it appears that a malicious person could easily put you, or me, or anybody else on SpamCop’s block-list. There are at least three ways somebody could put XYZ.com (a hypothetical site) on the blocklist.

(1) Send a spam message containing the characters “http://www.XYZ.com,” and wait for spam’s recipients to report it to SpamCop.

(2) Sign up for a legitimate mailing list run by XYZ.com. Then when XYZ.com sends legitimate email messages on the list, maliciously report those messages as spam.

(3) Forge the text of spam messages purportedly from XYZ.com, and report the forged messages as spam.

It’s probably illegal to carry out such an attack, but it’s scary that SpamCop apparently makes it so easy.

Lawyers, Tiggers and Bears, Oh My!

That’s the title of a hilarious article in L.A. Magazine about the ongoing legal battle over the rights to Winnie-the-Pooh. It’s full of telling details about the state of “intellectual property” law today, and about the mindset of the people involved.

My favorite example is a statement by Disney’s lawyer: “The legacy of Winnie-the-Pooh and the treasure that it is for generations of kids is something that Disney has taken the time and money to accomplish.” And to think that I had always given the credit to A.A. Milne.

Keystone SpamKops (cont. 2)

Thomas Roessler is the person who sent the innocent email message that the Keystone SpamKops incorrectly characterized as spam, leading to my summary ejection from the net. He did nothing wrong, and once he heard about the problem he did his best to rectify it – but the SpamKops apparently ignored his messages as they ignored everyone trying to resolve the problem. He comments on the situation in his blog.

Washington Post: Break-Ins to Military Computers

Interesting article today in the Washington Post about some freelance consultants who apparently rummaged through a bunch of Department of Defense computers without authorization. What they found was pretty appalling. But what they did seems pretty appalling too – although the article takes pains not to mention this. Here is the beginning of the article:

Security consultants entered scores of confidential military and government computers without approval this summer, exposing vulnerabilities that specialists say open the networks to electronic attacks and spying.

The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.

[…]

ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers’ online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.

Former employees of a private investigation firm – and relative newcomers to the security field – the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access.

What is amazing to me is that the writer seems to be working hard to avoid pointing out that what these guys did looks to have been unethical and probably illegal. The rule is pretty simple – honest discussion of security vulnerabilities: good; actually breaking into other people’s computers: bad.

True, careful readers of the article might still connect the dots between the description of what the ForensicTec guys did, and the mention fifteen paragraphs later of laws against unauthorized intrusion. But isn’t it the writer’s job to point out such basic connections?

It’s hard to believe the writer and his editor would have missed this obvious point. Yet I can’t understand why they would have chosen to ignore it. Any suggestions?

UPDATE: Within hours of appearance of the above-mentioned Washington Post article, the FBI raided the offices of ForensicTec.