Digg this story   Add to del.icio.us  
Copyright, Security, and the Hollywood Hacking Bill
Richard Forno, 2002-07-31

Proposed copyright enforcement legislation may circumvent fundamental constitutional protections and create chaos on the Internet.

Copyright enforcement, the attempt by the entertainment industry to prop up their obsolete business models, is increasingly a danger to the legitimate use of information technology and, by extension, the future of the Internet community.

The latest troubling development in copyright enforcement is a bill recently introduced in the Congress by Howard Berman (D-CA). This bill would allow copyright holders to disable computers used to illegally trade copyrighted material, such as music and movies. Copyright holders would be exempt from computer hacking laws, and allowed to disable P2P networks allegedly used in illegal file sharing by various technical means currently prohibited by existing computer crime laws. It would grant copyright holders legal carte blanche to ping, probe, scan, disrupt, attack, and crack remote computer systems or infrastructures to ensure no copyright infringements are taking place. Not only that, but under the bill, the copyright holder is not liable for any damages beyond $50 resulting from their on-line copyright enforcement. (For the full text of the proposed legislation, please click here.)

Of course, a “copyright holder” can include just about anyone, from Hollywood’s entertainment cartels to owners of Weblogs and to students posting essays on the Web. But what’s good for the goose may not be good for the gander. The day after the bill’s introduction in the US House, Jack Valenti, chairman of the Motion Picture Association, was quoted saying that “there are aspects of the bill we believe need changing as it moves through the legislative process.” As a recent Register article notes, the sweeping powers and immunities of the Berman bill were most likely intended to apply only to large entertainment entities, not every copyright holder on the Net.

This bill has many ethical and legal problems; but of greater to concern to SecurityFocus readers, it opens the door to several potentially significant security problems. This bill raises serious issues surrounding the confidentiality, availability, and integrity of data on end users’ systems. In essence, it could facilitate and legalize hacking, cracking, and on-line mischief on an unprecedented scale under the aegis of copyright enforcement.

If it passes, the Hollywood Hacking law, as Berman’s bill has come to be known, would give a profit-driven industry license to do what the government cannot: conduct searches of personal property at any time without the case-by-case justification a search warrant requires. In other words, the constitutional protection against unreasonable search and seizure is abrogated, thereby negating the users’ implicit guarantees of privacy and confidentiality. More frightening, these non-government, for-profit entities would be free to disrupt personal property (namely computers and networks) in their attempts to "enforce copyright" - too bad if legitimate data or activities are affected by such enforcement activities.

In essence, this bill endows corporate cultural manufacturers with the power to enforce copyright laws on their own, effectively replacing the state and its legitimate judicial structures and constitutional constraints with the power of vigilante-style self-defense for their specific niche industries and interests.

This isn’t copyright enforcement, it’s the Hollywood Gestapo: we’re all presumed guilty and treated as such until they can actually prove it. Due process is absolutely disregarded. Parties with huge vested interests, a failing business model, and no public accountability are writing rules of evidence and procedure that can change on a case-by-case basis. It goes without saying this putative copyright protection offers end users - whether engaged in illegal activities or not - no recourse, protection, or privacy.

Instead of securing the Internet, this bill, by placing the onus of law enforcement in the private sector’s hands, actually increases the anarchic, Wild West environment that legislators criticize the Internet for embodying. For instance, does this proposed law mean that I, as a copyright holder (albeit a small one) can take offensive technical actions against a third party’s home computer because I suspect he or she is archiving or exchanging copies of my articles and on-line rants? While I would welcome such technical immunity, I sincerely hope, in the name of order and good governance, that the Berman Bill fails to become law. (For a related discussion of the implications of this type of vigilantism, please see Tim Mullen’s column The Right to Defend.)

Should this bill become law, the blanket authority granted to copyright holders to rifle through any networked device looking for copyrighted information would nearly eradicate the confidentiality of end user data – the essence of information security. Furthermore, assuming the Berman Bill treats ALL copyright holders as equals, anyone with legitimately copyrighted material could use the law to justify malicious on-line activity against remote sites to ensure his copyright interests were protected, even if the copyrighted material was trivial in value. As such, this bill could give malicious hackers the legal camouflage beneath which to conduct illegal intrusions. For instance, it may allow them to justify unauthorized entrance (hacking) into Internet-connected systems or drafting new viruses or worms in the name of enforcing their copyright rights pertaining to anything from an e-mail message to zero-day exploit codes. If this bill passes, how are we to differentiate between intrusive on-line activities done in the name of legitimate copyright enforcement from those that are not?

Regardless of such legal fine points, what effect will this bill have on attempts to secure networks (a novel concept, I know, but some people refer to it as a noble and desirable goal). From a security administration point of view such on-line actions could easily become a drain on network resources, generating large reams of log data, and requiring IT administrators to spend more time and resource investigating and/or compensating for this increase in activity. How could sys-admins possibly distinguish between probes monitoring on behalf of legal copyright holders and those hoping to crack their systems?

Finally, what if I use an operating system that the Hollywood Hackers can’t snoop on? What if I design a very secure network, deploy a private and secured peer-to-peer system for use in my company or among a few close friends, and block malicious incoming traffic at my firewall in the interest of good system administration and security? Will this constitute a breach of copyright laws in some twisted, Kafkaesque way?

Will having a firewall, implementing strong system security practices, or being a good system administrator become an illegal and prosecutable offence because it circumvents copyright controls? I mean, given recent speculation that black magic markers might become criminalized under DMCA, could we be penalized under the Hollywood Hacking law for actually having systems secure from unauthorized remote entry?. As a nation, we’re finally starting to take system security seriously, and now - thanks to Congressman Berman’s proposal - it might be illegal to actually do so?

I’ve said it before, and I’ll say it again: when it comes to technology policy, our current crop of lawmakers just don’t get it.

Further Reading/Resources:

Operation ENDURING VALENTI

Microsoft Makes An Offer You Can’t Refuse

Full text of Rep. Berman’s “Hollywood Hacking” Bill

Rep. Berman’s Statement Introducing the “Hollywood Hacking” Bill

Opensecrets.Org Report on Hollywood Contributions to Congress (Note the sharp spike since the Internet came into widespread use.)


Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.
    Digg this story   Add to del.icio.us  
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus