Feeds

‘Super-DMCA’ fears suppress security research

'Everything I do is illegal'

  • alert
  • submit to reddit

High performance access to file storage

Steganography and honeypot expert Niels Provos may risk four years in prison by completing his Ph.D., writes Kevin Poulsen, of SecurityFocus.

A University of Michigan graduate student noted for his research into steganography and honeypots -- techniques for concealing messages and detecting hackers, respectively -- says he's been forced to move his research papers and software offshore and prohibit U.S. residents from accessing it, in response to a controversial new state law that makes it a felony to possess software capable of concealing the existence or source of any electronic communication.

"Concealing the existence of communication is my dissertation, and concealing the source of communication takes place in honey nets," says Niels Provos. "So I decided to be proactive about it and move it to another location, and for now just deny anybody from the states to download any of my software."

At issue are the so-called "Super-DMCA" bills under consideration in seven states, which have already become law in six others. Similar in some ways to the federal Digital Millennium Copyright Act -- which made it a crime to distribute software that cracks copy protection schemes -- the state measures appear to target those who would steal pay-per-view cable television shows or defraud broadband providers. Though the bills vary in language and scope, they are patterned after model legislation pushed by the Motion Picture Association of America along with the Broadband and Internet Security Taskforce, the latter a consortium of cable companies and premium channels.

The Super DMCA began quietly passing state legislatures two years ago, but did not come to public attention until last month, when the broad language in some versions of the bill immediately sparked anger from technologists and public interest groups.

The , which took effect on March 31st, typifies the legislation: Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison.

Taken literally, the law is bad news for businesses like Anonymizer.com and Hushmail -- both services cater to privacy-conscious Internet users determined to conceal their place of origin from marketers, or to communicate anonymously. Critics say it would also ban firewalls and NAT boxes, dealing a blow to Internet security. "This statute essentially criminalizes the mere possession of technology," says Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation, which opposes the legislation.

From Michigan to the Netherlands

Provos says the Michigan law also makes most of his academic career a crime. Provos is an expert on steganography, the science of concealing secret messages in seemingly innocuous content. He's developed software to detect some types of stego in image files, but he's also worked the other side, developing improved methods for preventing a message from being detected. He also wrote "HoneyD," a free program that simulates a network of computers, with the aim of luring in and detecting hackers. The deceptive software arguably conceals the source of a communication.

"It's very difficult, reading the law, it makes basically everything that I do illegal," says Provos.

So last week Provos took his research papers and software off of his home page, and relocated them to a server in the Netherlands. To play it safe, he also erected a barrier of sorts to U.S. visitors: to access the new page, a user has to answer three questions affirming that they are not in the United States, or another country with similar laws. He hopes it's enough to give him legal cover. "I'm not really sure how this works. If I give access to people in the U.S. and I live in Michigan, could that be construed as a problem?," he says. "And there are a lot of other states that have passed their own laws."

Provos says the offshore site is a temporary measure while he awaits an opinion from the University of Michigan's legal department. Meanwhile, he's urging colleagues in the security community to contact his state's legislators and fill them in on the unintended consequences of the Super-DMCA. But he insists the whole thing isn't a protest or a publicity stunt. Though nobody has yet been prosecuted under the law, Provos, a German national, says his concern is genuine. "As a foreigner I have to be very careful... I'd rather follow the law to the letter than be negatively surprised later."

The EFF's von Lohmann says he's worried that Provos may not have gone far enough. "If he's still in Michigan... Sure, he has a questionnaire, but maybe that's not enough," he says. "I don't know. This is all untested territory."

In response to the early criticism, the industry groups pushing for the law released a new version of their model legislation on April 1st that, among other things, adds an "intent to defraud" to the language -- significantly narrowing the scope of the law. "That doesn't really fix all the problems because it's unclear to me what intent to defraud means in this context," says von Lohmann. In any event, unless lawmakers revisit their efforts, the new draft comes too late for Michigan residents, and those in other states where an old version of the bill has already become the law of the land.

© SecurityFocus Logo

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.