Monday, November 21, 2011
How Not To Secure the Net
In the wake of credible allegations of hacking of a water utility, including physical damage, attention has turned to software security weaknesses. One might think that we'd want independent experts - call them whistleblowers, busticati, or hackers - out there testing, and reporting, important software bugs. But it turns out that overblown cease-and-desist letters still rule the day for software companies. Fortunately, when software vendor Carrier IQ attempted to misstate IP law to silence security researcher Trevor Eckhart, the EFF took up his cause. But this brings to mind three problems.
First, unfortunately, EFF doesn't scale. We need a larger-scale effort to represent threatened researchers. I've been thinking about how we might accomplish this, and would invite comments on the topic.
Second, IP law's strict liability, significant penalties, and increasing criminalization can create significant chilling effects for valuable security research. This is why Oliver Day and I propose a shield against IP claims for researchers who follow the responsible disclosure model.
Finally, vendors really need to have their general counsel run these efforts past outside counsel who know IP. Carrier IQ's C&D reads like a high school student did some basic Wikipedia research on copyright law and then ran the resulting letter through Google Translate (English to Lawyer). If this is the aptitude that Carrier IQ brings to IP, they'd better not be counting on their IP portfolio for their market cap.
When IP law suppresses valuable research, it demonstrates, in Oliver's words, that lawyers have hacked East Coast Code in a way it was not designed for. Props to EFF for hacking back.
Cross-posted at Info/Law.
TrackBack URL for this entry:
Listed below are links to weblogs that reference How Not To Secure the Net:
Two thoughts. First, how many threatened researchers need representation? How does one know?
Second, how much of the chilling effects are caused by laws as compared to press coverage of laws, which is sometimes inaccurate?
Posted by: Orin Kerr | Nov 22, 2011 3:20:19 AM
Here's one top-down proposal, and one bottom-up proposal: One might try to formalize a research exception in the Copyright Act, like § 1201(g), which excepts encryption research from the anticircumvention provisions of the DMCA. How effective the research exception is depends in part on the language used to define the exception, and to define who counts as a researcher.
Researchers might also be able to write up a "researcher's best practices," not unlike the documentary film-maker best practices. (I couldn't open the link to the disclosure model, but it may be an attempt to do just that.) The goal would be to formalize fair use propositions in a way that had a soft binding effect on researchers. Note, however, that the documentary film-maker best practices were primarily useful to get errors & omissions insurers to cover films making fair uses of copyrighted materials, or distributors / television channels to purchase the film. See generally, Aufderheide & Jaszi, Reclaiming Fair Use, 94-107 (2011). Articulating best practices may be of less use in discouraging CDLs.
Posted by: Jake Linford | Nov 22, 2011 8:02:41 AM