Interesting People mailing list archives
IP: LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 01 Aug 1998 13:13:54 -0500
( I fully endorse the position taken. djf) LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER PENDING COPYRIGHT LEGISLATION Washington, DC - A group of nearly 50 of the nation's top security researchers and practitioners have delivered a letter to Congressional leaders urging them to reconsider provisions of controversial legislation concerning copyright protection. Several versions of the bill, H.R. 2281 (the "Digital Millennium Act"), are currently under consideration by the House of Representatives, and one version has already passed the Senate. The bill would make it illegal to circumvent "technological protection measures" that could be used to protect digital works on the Internet. However, those same technologies are also employed to protect users against computer viruses, perform security tests of commercial network installaions, and conduct basic security education and research in universities and government labs. The experts assert that if the bill is passed in its current form, many vital forms of security testing may be rendered illegal. Realizing that scientists need to circumvent systems to conduct effective research, the House Commerce Committee recently amended the bill to permit circumvention for the puposes of encryption research. However, according to security experts, such a provision simply does not go far enough. "[The Commerce Committee bill] fails to further recognize that encryption research is simply one aspect of security research, and that research is different from actual practice. While [the bill] may exempt encryption research, it still criminalizes other crucial techniques used in security research and practice," wrote Eugene Spafford, the author of the letter, and a world-leading expert in information security. "If passed in anything similar to its present form, [the Digital Millenium Copyright Act] has the potential to imperil computer systems and networks throughout the United States, criminalize many current university courses and research in information security, and severely disrupt a growing American industry in information security technology. The result would be grave damage to the U.S. economy and to national security." Ironically, the letter comes at a time when security researchers are working to alert the public to a significant security flaw found in three of the most popular e-mail systems in use in the Internet. On Tuesday, the U.S. Energy Department's security team issued an emergency bulletin, confirming reports that Microsoft Outlook Express, Outlook 98, and Netscape's Messenger Mail all contain serious security flaws. Identified, in part, through processes of reverse engineering -- one of the techniques that would be prohibited by the pending legislation -- the security hole allows booby-trapped e-mail messages to cause havoc on a user's computer system. Security researchers have noted that such serious security flaws are often uncovered only because the public is able to freely test the security of such programs. Public scrutiny and outcry are sometimes the only way that such security flaws are identified and quickly fixed before criminals can identify and exploit the flaw themselves. However, the Digital Millenium Copyright Act could very well prohibit the processes of public scrutiny. reverse engineering, and public notice that have successfully identified these flaws to date. Bruce Schneier, noted cryptography expert and author, described the situation as "In our country there is a long tradition of consumer advocacy. Organizations like Consumer Reports regularly evaluate products and make those evaluations available to buyers. The WIPO provision against encryption research would make it illegal for companies to evaluate security products. If a company asked me which firewall was good, it would be illegal for me to tell them. This is like the meat industry getting a law passed making it illegal for someone to publicize that a particular brand of hamburger has rat hair in it." Spafford drafted the letter on Wednesday, July 29, after becoming aware of the full import of the pending legislation. Within hours, 48 experts agreed to act as co-signers. Spafford noted "If we had more time to solicit supporters, we might have doubled the number of prominent names on the letter. The community is gravely concerned that this legislation will endanger information security in the U.S. Although we are against violation of valid copyrights, we believe that legislation should be designed to punish the violators rather than criminalize tools that are also necessary to the protectors." An electronic copy of the security researchers' letter is available at: <http://www.cs.purdue.edu/homes/spaf/WIPO/>. Contact details and pointers to background information are also present at this location.
Current thread:
- IP: LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER Dave Farber (Aug 01)