Feeds

‘Super-DMCA’ fears suppress security research

'Everything I do is illegal'

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Steganography and honeypot expert Niels Provos may risk four years in prison by completing his Ph.D., writes Kevin Poulsen, of SecurityFocus.

A University of Michigan graduate student noted for his research into steganography and honeypots -- techniques for concealing messages and detecting hackers, respectively -- says he's been forced to move his research papers and software offshore and prohibit U.S. residents from accessing it, in response to a controversial new state law that makes it a felony to possess software capable of concealing the existence or source of any electronic communication.

"Concealing the existence of communication is my dissertation, and concealing the source of communication takes place in honey nets," says Niels Provos. "So I decided to be proactive about it and move it to another location, and for now just deny anybody from the states to download any of my software."

At issue are the so-called "Super-DMCA" bills under consideration in seven states, which have already become law in six others. Similar in some ways to the federal Digital Millennium Copyright Act -- which made it a crime to distribute software that cracks copy protection schemes -- the state measures appear to target those who would steal pay-per-view cable television shows or defraud broadband providers. Though the bills vary in language and scope, they are patterned after model legislation pushed by the Motion Picture Association of America along with the Broadband and Internet Security Taskforce, the latter a consortium of cable companies and premium channels.

The Super DMCA began quietly passing state legislatures two years ago, but did not come to public attention until last month, when the broad language in some versions of the bill immediately sparked anger from technologists and public interest groups.

The , which took effect on March 31st, typifies the legislation: Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison.

Taken literally, the law is bad news for businesses like Anonymizer.com and Hushmail -- both services cater to privacy-conscious Internet users determined to conceal their place of origin from marketers, or to communicate anonymously. Critics say it would also ban firewalls and NAT boxes, dealing a blow to Internet security. "This statute essentially criminalizes the mere possession of technology," says Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation, which opposes the legislation.

From Michigan to the Netherlands

Provos says the Michigan law also makes most of his academic career a crime. Provos is an expert on steganography, the science of concealing secret messages in seemingly innocuous content. He's developed software to detect some types of stego in image files, but he's also worked the other side, developing improved methods for preventing a message from being detected. He also wrote "HoneyD," a free program that simulates a network of computers, with the aim of luring in and detecting hackers. The deceptive software arguably conceals the source of a communication.

"It's very difficult, reading the law, it makes basically everything that I do illegal," says Provos.

So last week Provos took his research papers and software off of his home page, and relocated them to a server in the Netherlands. To play it safe, he also erected a barrier of sorts to U.S. visitors: to access the new page, a user has to answer three questions affirming that they are not in the United States, or another country with similar laws. He hopes it's enough to give him legal cover. "I'm not really sure how this works. If I give access to people in the U.S. and I live in Michigan, could that be construed as a problem?," he says. "And there are a lot of other states that have passed their own laws."

Provos says the offshore site is a temporary measure while he awaits an opinion from the University of Michigan's legal department. Meanwhile, he's urging colleagues in the security community to contact his state's legislators and fill them in on the unintended consequences of the Super-DMCA. But he insists the whole thing isn't a protest or a publicity stunt. Though nobody has yet been prosecuted under the law, Provos, a German national, says his concern is genuine. "As a foreigner I have to be very careful... I'd rather follow the law to the letter than be negatively surprised later."

The EFF's von Lohmann says he's worried that Provos may not have gone far enough. "If he's still in Michigan... Sure, he has a questionnaire, but maybe that's not enough," he says. "I don't know. This is all untested territory."

In response to the early criticism, the industry groups pushing for the law released a new version of their model legislation on April 1st that, among other things, adds an "intent to defraud" to the language -- significantly narrowing the scope of the law. "That doesn't really fix all the problems because it's unclear to me what intent to defraud means in this context," says von Lohmann. In any event, unless lawmakers revisit their efforts, the new draft comes too late for Michigan residents, and those in other states where an old version of the bill has already become the law of the land.

© SecurityFocus Logo

Secure remote control for conventional and virtual desktops

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton EXPOSED in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.