A bill intended to protect intellectual property, but so poorly framed that it criminalizes computer security measures, has been approved by the US House of Representatives. The Digital Millennium Copyright Act makes it illegal even to attempt to circumvent measures intended to prevent intellectual property theft. In practice, this would make it a crime to reverse engineer cryptographic software or test network firewalls for strength. What it means is that the computer security industry has managed to make itself immune to consumer protection and testing, says Bruce Schneier, chairman and CEO of Counterpane Systems. It’s as if the meat industry could prevent anyone from publishing figures on rat hairs found in hamburgers, or as if it was illegal to conduct safety tests on cars without permission from General Motors. Draconian as the legislation is, it seems unlikely that federal agents will start breaking down doors and arresting systems administrators any time soon – if only because there’s no sensible way to implement such a law. I don’t think there’s anything enforceable in it, says Russ Cooper, a computer security consultant and the moderator of the NT BugTraq mailing list, what I am concerned about is the dampening effect it could have on the viability of security engineering. Schneier agrees that the law could squelch the market. What he most fears is a brain drain as cryptographic and computer security professionals abandon the United States for friendlier legislative regimes abroad. Has he considered moving? I’ve talked about it, he admits, I am worried. Utah’s Senator Orrin Hatch has introduced amendments that soften the effect of the legislation on America’s computer security professionals, but these have been deemed inadequate (CI No 3,456). Cooper describes Hatch’s amendments as a grandiose attempt to make a name for himself as technology aware in Utah, a state where many people are employed by Novell, a technology company. Cooper says that politicians are attempting to predict the future of an industry they don’t understand, and that their desire to enshrine their predictions in stone makes for bad legislation. This is just another example of why we don’t buy software from the government, he says, it is just not good at coming up with the feature set we need. Is the government to blame, or is it big business? Schneier points the finger at companies like Disney and Microsoft whose assets include large amounts of electronically copyrightable material. Either they can protect that with good security or they can use bad security and make it illegal for you to notice, he says, using bad security is cheaper. To Microsoft there are no security problems. There are only PR problems. With activists scrambling to alert the government to the negative consequences of the bill, computer security now has a PR problem of its own – not to mention the little matter of plummeting morale. As Cooper concludes, the most absurd thing about the legislation is its misleadingly innocuous name. We don’t need a digital millennium based on copyright, he says, we need it to be based on sharing of information. If the Copyright Act goes ahead in its present form, we may not have a digital millennium at all.
