Freedom to Tinker

The British Parliament is now considering a bill that would make it illegal to change the IMEI number on a cell phone. Each phone has a unique IMEI which it uses to identify itself to the cell network; it’s like a serial number for the phone.

If you report your phone stolen, the cell operator blacklists your phone’s IMEI, effectively shutting off the stolen phone. But if the thief can reprogram the IMEI number, then he can keep using the stolen phone. Is this enough to justify banning the practice?

There are two questions we should ask ourselves in evaluating this kind of ban.

First: Is it necessary? Presumably there are already laws against stealing cell phones and against using a stolen phone. The bill only makes sense if those existing laws are somehow deficient. If the deficiency is that the existing laws carry insufficient penalties, then those penalties can be beefed up. If the deficiency is that the existing laws are hard to enforce, then we would still have to ask whether the newly proposed law is somehow easier to enforce.

Second: Does the practice that would be banned have significant legal uses? It is hard to object to a ban on practices that only criminals engage in, but if there are legitimate and legal uses of it then we should be much more reluctant to ban it. And we really have to try our hardest to think of legal uses – it is all too easy to ignore unusual or novel uses that would turn out to have great value in the future.

Based on my very limited knowledge, it looks like the ban on IMEI modifications may pass this two-part test, and so may be good policy. But I’m happy to hear any counterarguments.

Richard Clarke, the White House cybersecurity czar, in a speech today at the Black Hat conference, called for legal protection for tinkering by security researchers.

According to an Associated Press article by D. Ian Hopper, Clarke “encouraged the nation’s top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.” The article also quotes Clarke as saying that security researchers “have an obligation to find the vulnerabilities.”

This is just common sense. Still, it’s refreshing to hear that somebody in official Washington understands the value of tinkering and open debate about technology.

In the current climate of concern about cyber-attacks, it’s astonishing that Congress is considering a bill that would legalize a wide range of cyber-attacks – yet that is just what the proposed Berman-Coble bill would do.

The bill allows the owner of a copyright to interfere with the computer or network of anybody who is thought to be using the copyrighted material without authorization. The bill allows any attack, so long as it does not mess with any files on the victim’s computer (other than copyrighted ones). For example, they can cut off your network connection, or even crash your computer.

I am not totally opposed to the idea of self-help for parties whose legal rights are being violated. But this bill goes way, way too far. For example, the bill allows attacks on anybody making “unauthorized” use of a work, even if that use is legal. (Under copyright law, if you own a legimate copy of a work, there are certain things you can do with that work whether the copyright holder likes it or not; so a use can be unauthorized but still legal) And the bill doesn’t do much to hold the attackers accountable for any collateral damage they cause.

Text of the proposed bill is available at http://www.politechbot.com/docs/berman.coble.p2p.final.072502.pdf