Feeds

‘Super-DMCA’ fears suppress security research

'Everything I do is illegal'

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Steganography and honeypot expert Niels Provos may risk four years in prison by completing his Ph.D., writes Kevin Poulsen, of SecurityFocus.

A University of Michigan graduate student noted for his research into steganography and honeypots -- techniques for concealing messages and detecting hackers, respectively -- says he's been forced to move his research papers and software offshore and prohibit U.S. residents from accessing it, in response to a controversial new state law that makes it a felony to possess software capable of concealing the existence or source of any electronic communication.

"Concealing the existence of communication is my dissertation, and concealing the source of communication takes place in honey nets," says Niels Provos. "So I decided to be proactive about it and move it to another location, and for now just deny anybody from the states to download any of my software."

At issue are the so-called "Super-DMCA" bills under consideration in seven states, which have already become law in six others. Similar in some ways to the federal Digital Millennium Copyright Act -- which made it a crime to distribute software that cracks copy protection schemes -- the state measures appear to target those who would steal pay-per-view cable television shows or defraud broadband providers. Though the bills vary in language and scope, they are patterned after model legislation pushed by the Motion Picture Association of America along with the Broadband and Internet Security Taskforce, the latter a consortium of cable companies and premium channels.

The Super DMCA began quietly passing state legislatures two years ago, but did not come to public attention until last month, when the broad language in some versions of the bill immediately sparked anger from technologists and public interest groups.

The , which took effect on March 31st, typifies the legislation: Among other things, residents of the Great Lakes State can no longer knowingly "assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise" any device or software that conceals "the existence or place of origin or destination of any telecommunications service." It's also a crime to provide written instructions on creating such a device or program. Violators face up to four years in prison.

Taken literally, the law is bad news for businesses like Anonymizer.com and Hushmail -- both services cater to privacy-conscious Internet users determined to conceal their place of origin from marketers, or to communicate anonymously. Critics say it would also ban firewalls and NAT boxes, dealing a blow to Internet security. "This statute essentially criminalizes the mere possession of technology," says Fred von Lohmann, senior staff attorney at the Electronic Frontier Foundation, which opposes the legislation.

From Michigan to the Netherlands

Provos says the Michigan law also makes most of his academic career a crime. Provos is an expert on steganography, the science of concealing secret messages in seemingly innocuous content. He's developed software to detect some types of stego in image files, but he's also worked the other side, developing improved methods for preventing a message from being detected. He also wrote "HoneyD," a free program that simulates a network of computers, with the aim of luring in and detecting hackers. The deceptive software arguably conceals the source of a communication.

"It's very difficult, reading the law, it makes basically everything that I do illegal," says Provos.

So last week Provos took his research papers and software off of his home page, and relocated them to a server in the Netherlands. To play it safe, he also erected a barrier of sorts to U.S. visitors: to access the new page, a user has to answer three questions affirming that they are not in the United States, or another country with similar laws. He hopes it's enough to give him legal cover. "I'm not really sure how this works. If I give access to people in the U.S. and I live in Michigan, could that be construed as a problem?," he says. "And there are a lot of other states that have passed their own laws."

Provos says the offshore site is a temporary measure while he awaits an opinion from the University of Michigan's legal department. Meanwhile, he's urging colleagues in the security community to contact his state's legislators and fill them in on the unintended consequences of the Super-DMCA. But he insists the whole thing isn't a protest or a publicity stunt. Though nobody has yet been prosecuted under the law, Provos, a German national, says his concern is genuine. "As a foreigner I have to be very careful... I'd rather follow the law to the letter than be negatively surprised later."

The EFF's von Lohmann says he's worried that Provos may not have gone far enough. "If he's still in Michigan... Sure, he has a questionnaire, but maybe that's not enough," he says. "I don't know. This is all untested territory."

In response to the early criticism, the industry groups pushing for the law released a new version of their model legislation on April 1st that, among other things, adds an "intent to defraud" to the language -- significantly narrowing the scope of the law. "That doesn't really fix all the problems because it's unclear to me what intent to defraud means in this context," says von Lohmann. In any event, unless lawmakers revisit their efforts, the new draft comes too late for Michigan residents, and those in other states where an old version of the bill has already become the law of the land.

© SecurityFocus Logo

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.