Security /

Legally mandated stupidity

By Scott Bradner
Network World, 09/10/01

A couple of weeks ago in this publication, Winn Schwartau pointed out the stupidity of companies trying to invent their own encryption technologies in a column headlined "To hell with proprietary encryption algorithms". This is a good column, but he only covered part of the stupidity - the stupidity he did not cover is legally mandated.

President Clinton signed the Digital Millennium Copyright Act (DMCA) into law Oct. 28, 1998 (a copy is available here).

The law prohibits "any technology, product, service, device, component, or part thereof, that . . . is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner."

By outlawing tools for circumventing protection, it is also outlawing tools researchers use to test security systems. The only way to know if an encryption system works is to try to break it. But having software that could be used to do this is outlawed by the DMCA.

So if someone stumbles on a hole in some security system that could conceivably be used to protect some copyrighted material - that covers just about all security systems - that person cannot report the problem without opening himself or herself up for prosecution for possession of the tools used to find the hole.

In effect, this law says that when a company or organization goes against Winn's good advice and hires self-proclaimed crypto-experts to create a proprietary protection scheme and that scheme turns out to be as effective a barrier as wet tissue paper, no one can tell them about the vulnerability without risk of arrest. This law mandates ignorance. This makes about as much sense as outlawing reporting on deaths that occur during drug trials. In effect, the law mandates crappy security.

And we have recently seen a lot of security is not as good as inventors originally thought. The list is getting longer by the day: DVDs, 802.11 Wired Equivalent Privacy, most watermark schemes, Adobe e-books and, as recently reported, maybe even Microsoft's e-books. Who knows what other systems have been broken but not reported on because of the threat of the DMCA?

Security is hard. It is very hard for a developer to find all the holes in a design or implementation (just ask Microsoft!). Making it illegal for people to report vulnerabilities does not add to security. (If that sounds like a reach from the DMCA, see this.)

If you implement security-related software, the DMCA mandates that you stay in the dark if someone manages to break your security, on purpose or by accident. It mandates that no one but the bad guys know about vulnerabilities. It mandates that U.S. companies create and use poor security on the Internet in the face of concerted attacks from many parts of the world. This is breathtakingly stupid.

It may also be an unconstitutional abridgement of free speech - time and the courts will tell. Meanwhile, rest well, knowing that the U.S. government is protecting the ability of the bad guys to exploit holes in crappy software.

Disclaimer: Harvard is not associated with anything crappy, so the above must be my own opinion.