The following text is copyright 2003 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Bad law or really bad law?
By Scott Bradner
Over the last few weeks a number of state legislatures have started to consider similar bills, apparently at the behest of the copyright folk, bills that fail to learn the unintended consequences lessons of the DMCA.
The Digital Millennium Copyright Act (the DMCA) has not done all that much to protect the legitimate rights of copyright holders but it has hurt the quality of American software and has hurt American competitiveness. It has done this by making it illegal, or at least very risky, to tell a company that the security in the products they are using is crappy. If a company cannot find this out before the bad guys do the company's secrets, its products and, sometimes, its very existence, is at risk.
The same folk that brought you the DMCA are trying to improve it at the state level. Most of the law is actually less bad than the DMCA, although that would not be all that hard, but there is some sloppy writing that could have a worse impact than the DMCA does, and that would be hard.
The bill says, in part, (from the Texas version of the bill): A person commits an offense if the person intentionally or knowingly manufactures, sells, etc, a communication device with an intent to "conceal from a communication service provider, or from any lawful authority, the existence or place of origin or destination of any communication;"
Most of the bill is targeted at people who do things with an intent to defraud, but this section does have this limitation. I expect this is just sloppy writing, or at least I hope so.
This section, if enforced literally, could outlaw network address translators (NATs) and common configurations in firewalls, both of which conceal the actual source and/or destination of a communication by rewriting the network addresses. As I've written before, I'm no fan of these devices used in this way but outlawing them would be quite silly.
But the real problem with the way that this section is written is that it could be read to outlaw secure virtual private networks (VPNs). Secure VPNs are what everybody should use if they are connecting back to a corporate network when they are on the road or at home. But since secure VPNs are actually encrypted tunnels, all of my communication, including the destination and source of any email that I read or send through a VPN is concealed from the local service provider and any lawful authority that might be listening in.
I hope that this is not what the bill actually is trying to control. If it were trying to outlaw encrypted communications between travelers and the companies that employ them, silly would not be the word that would spring to mind to describe the idea. Maybe someone with a tiny bit of clue will fix this before any of these bills gets approved. Note that I'm not implying that I think that these state-level bills will actually help fix the problems that the copyright people have, the only things that will help here are some new business models, but at least lets not destroy American business to protect a few copyright holders.
disclaimer: Harvard deals with bequests not behests and the above is my own opinion.