title: Legally mandated stupidity


by: Scott Bradner


A couple of weeks ago in this publication Winn Schwartau pointed out the stupidity of companies trying to invent their own encryption technologies. (nww Aug 27, pp 45, "To Hell With Proprietary Encryption Algorithms")  A good column but he only covered part of the stupidity -- the stupidity he did not cover is legally mandated.


The Digital Millennium Copyright Act (DMCA), signed into law by President Clinton on October 28th, 1998, (available at http://www.eff.org/ip/DMCA/hr2281_dmca_law_19981020_pl105-304.html) prohibits "any technology, product, service, device, component, or part thereof, that ... is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner."


But in outlawing tools for circumventing protection it is also outlawing the tools that researchers use to test security systems.  The only way to know if an encryption system works is to try to break it.  But having software that could be used to do this is outlawed by the DMCA.  So if someone manages to stumble on a hole in some security system which could conceivably be used to protect some copyrighted material, that covers just about all security systems, they can not report the problem without opening themselves up for prosecution for possession of the tools they used to find the hole.


In effect this law says that when some company or organization goes against Winn's good advice and hires some self-identified crypto experts to create a proprietary protection scheme and that scheme turns out to be as an effective a barrier as wet tissue paper, no one can tell them the vulnerability without risk of arrest.  This law mandates ignorance.  This makes about as much sense as outlawing reporting on deaths that occur during drug trials.  In effect, the law mandates crappy security.


And we have recently seen a lot of security is not as good as the inventers thought it was. The list is getting longer by the day: DVDs, 802.11 Wired Equivalent Privacy (WEP), most watermark schemes, Adobe e-books, and, reported yesterday, maybe even Microsoft's e-books.  Who knows what other systems have been broken but not reported on because of the threat of the DMCA.


Security is hard. It is very hard for a developer to find all the holes in a design or implementation. (Just ask Microsoft!) Making it illegal for people to report vulnerabilities when they show up does not add to security.  (If that sounds like a reach from the DMCA see: http://www.interesting-people.org/200108/0189.html)


If you implement security-related software the DMCA mandates that you stay in the dark if someone manages to break your security, on purpose or by accident.  It mandates that no one but the bad guys know about vulnerabilities.  It mandates that US companies create and use poor security on the Internet in the face of concerted attacks from many parts of the world. This is breathtakingly stupid. 


It may also be an unconstitutional abridgement of free speech, time and the courts will tell.  But meanwhile - rest well, knowing that the US government is protecting the ability of the bad guys to exploit holes in crappy software.


disclaimer: Harvard is not associated with anything crappy so the above must be my own opinion.