IP: LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER

[Dave Farber <farber () cis upenn edu>]

( I fully endorse the position taken. djf)




        LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER
                    PENDING COPYRIGHT LEGISLATION


   Washington, DC - A group of nearly 50 of the nation's top security
researchers and practitioners have delivered a letter to Congressional
leaders urging them to reconsider provisions of controversial legislation
concerning copyright protection. Several versions of the bill, H.R. 2281
(the "Digital Millennium Act"), are currently under consideration by the
House of Representatives, and one version has already passed the Senate.
The bill would make it illegal to circumvent "technological protection
measures" that could be used to protect digital works on the Internet.
However, those same technologies are also employed to protect users against
computer viruses, perform security tests of commercial network
installaions, and conduct basic security education and research in
universities and government labs. The experts assert that if the bill is
passed in its current form, many vital forms of security testing may be
rendered illegal.


Realizing that scientists need to circumvent systems to conduct effective
research, the House Commerce Committee recently amended the bill to permit
circumvention for the puposes of encryption research. However, according to
security experts, such a provision simply does not go far enough.


"[The Commerce Committee bill] fails to further recognize that encryption
research is simply one aspect of security research, and that research is
different from actual practice. While [the bill] may exempt encryption
research, it still criminalizes other crucial techniques used in security
research and practice," wrote Eugene Spafford, the author of the letter,
and a world-leading expert in information security. "If passed in anything
similar to its present form, [the Digital Millenium Copyright Act] has the
potential to imperil computer systems and networks throughout the United
States, criminalize many current university courses and research in
information security, and severely disrupt a growing American industry in
information security technology. The result would be grave damage to the
U.S. economy and to national security."


Ironically, the letter comes at a time when security researchers are
working to alert the public to a significant security flaw found in three
of the most popular e-mail systems in use in the Internet. On Tuesday, the
U.S. Energy Department's security team issued an emergency bulletin,
confirming reports that Microsoft Outlook Express, Outlook 98, and
Netscape's Messenger Mail all contain serious security flaws. Identified,
in part, through processes of reverse engineering -- one of the techniques
that would be prohibited by the pending legislation -- the security hole
allows booby-trapped e-mail messages to cause havoc on a user's computer
system. Security researchers have noted that such serious security flaws
are often uncovered only because the public is able to freely test the
security of such programs. Public scrutiny and outcry are sometimes the
only way that such security flaws are identified and quickly fixed before
criminals can identify and exploit the flaw themselves. However, the
Digital Millenium Copyright Act could very well prohibit the processes of
public scrutiny. reverse engineering, and public notice that have
successfully identified these flaws to date.


Bruce Schneier, noted cryptography expert and author, described the
situation as "In our country there is a long tradition of consumer
advocacy.  Organizations like Consumer Reports regularly evaluate products
and make those evaluations available to buyers.  The WIPO provision against
encryption research would make it illegal for companies to evaluate
security products.  If a company asked me which firewall was good, it would
be illegal for me to tell them.  This is like the meat industry getting a
law passed making it illegal for someone to publicize that a particular
brand of hamburger has rat hair in it."


Spafford drafted the letter on Wednesday, July 29, after becoming aware of
the full import of the pending legislation. Within hours, 48 experts agreed
to act as co-signers. Spafford noted "If we had more time to solicit
supporters, we might have doubled the number of prominent names on the
letter. The community is gravely concerned that this legislation will
endanger information security in the U.S.   Although we are against
violation of valid copyrights, we believe that legislation should be
designed to punish the violators rather than criminalize tools that are
also necessary to the protectors."




An electronic copy of the security researchers' letter is available at:
<http://www.cs.purdue.edu/homes/spaf/WIPO/>.  Contact details and pointers
to background information are also present at this location.