The DMCA is endangering American security
I've had the the government's 60-day Cyberspace Policy Review sitting on my desk for many days now, dutifully highlighted and marked up with notes about how this bit could turn out interesting and that section looks a lot like what we've previous heard from DC about cybersecurity and that passage over there appears to have been lifted from the questionable financial-loss statistics one hears from the RIAA and BSA and MPAA and such. And I see one gigantic self-inflicted wound that I fear the current administration will ignore like the last two have -- ignored it since 1998, in fact.
The cybersecurity review says we need to improve academic and industry collaboration on cybersecurity and other technology issues. It also states we should "expand university curricula; and set the conditions to create a competent workforce for the digital age."
What the cybersecurity review should have said is, "We are raising a nation of timid technophobes who mistake using MyTwitFace for being a geek. Meanwhile, we have comprehensively, at every educational level, stripped away useful teaching tools and criminalized modes of research and inquiry in the name of copyright and liability laws, and sooner rather than later we are going to reap the whirlwind."
Or, putting it simply: We made ourselves stupid and now we must pay.
Since the rise of the Information Age, America has convinced itself that safety is a better choice than knowledge, and that anyone who doesn't make safety a priority over knowledge is Dangerous And Up To No Good. The 1998 Digital Millennium Copyright Act, which is entering its twelfth year of chilling security research, acts in direct opposition to the government's alleged goal of improving American cybersecurity by criminalizing the research and inquiry that make security products, and thus security, stronger.
And not only have we attained this vulnerable position step by step, special-interest groups such as liability lawyers and the entertainment industry -- not to mention the computer industry itself -- have paved the path for us, making us easily fleeced, easily frightened, and easily led.
We'll start with the little ones. I'm willing to bet that you, as a young geek, had a certain amount of curiosity about science. Did you own a chemistry set? Do you remember some of the chemicals that shipped in it, some of the reactions you could test? Enjoy your memories of, as Oliver Sacks put it in Uncle Tungsten, "stinks and bangs." As Steve Silberman has written about so effectively in Wired, legislators and law enforcement now send a loud-and-clear message that science is something best left to the professionals. As geekish youth will discover over and over, the claim that "someone could get hurt!" is the way that people who are unnerved by smart people make sure that no one actually gets smart.
Head for the schools -- the elementary schools, even. The entertainment industry hasn't been as successful as it would like in eliminating fair use for educational purposes. But it has managed to get its point of view into the classroom starting in third grade with Music Rules, which "informs students about the laws of copyright and the risks of online file-sharing." Parents are cautioned against the dangers of "songlifting" (the RIAA's preferred new term for downloading and/or ripping) and the program handouts conflate music downloading with exposure to online predators. The "someone could get hurt" motif continues, with the introduction of the "and you'll be a criminal if you try it" theme.
Speaking of online predators, move to the higher grades. We don't really like teenagers in America if they're not Miley Cyrus or the Jonas Brothers (so clean-cut, such radio-friendly unit shifters!), so despite multiple studies indicating that most teens know enough to ignore online weirdos and most teens are smart enough not to go a-sexting and most teens can deal with "cyberbullying," social networking and mobile phones are as reliably panic-inducing in the mainstream media as rock-and-roll and long hair were back in the day. Again, "someone could get hurt" (especially teenaged girls, whose interest in tech when they could be interested in makeup and clothes is already unseemly and suspicious); but teenagers being generally scary, we're equally convinced that they're out to get each other.
Meanwhile, we're at the age when the hacker gene expresses. Criminalizing young men (and women) who hack is old fare, documented as far back as Cap'n Crunch and Joe Engressia and a couple of Steves (Jobs and Wozniak), and where social pressures didn't push status-conscious kids away from exploring computers, legal pressures often did. Ask anyone who attended 2600 meetups back in the day -- even those meetups destined for nothing more subversive than a really bad movie -- what percentage of "attendees" were cops hoping to get lucky.
Onward to the world -- to college and adult lives. Those who still have the geek fever by now -- and US university enrollment rates in science and computer science curricula tell us it's not very many these days -- may hope to connect with worthwhile research projects and really dig into what makes systems tick. And here's where the DMCA works its wonders for security researchers (and I mean real security researchers, not hopeful political appointees putting together a 60-day job application) by chilling research and collaboration.
Ask Ed Felten about his research on flaws in e-voting machines.
Ask Seth Finkelstein about his research on censorware.
Ask J. Alex Haldeman about the Sony-BMG rootkit. For that matter, ask the researchers who'd previously requested an exemption to the DMCA to examine that rootkit, a request denied by the Copyright Office. (I find, by the way, no evidence in the Cybersecurity Policy Review that Melissa Hathaway or any of her minions spoke to the Copyright Office to ask who the hell they think they are to make security decisions. I wish somebody would.)
Ask Dmitry Sklyarov about that five-month detention, and getting arrested at DEFCON.
Ask Luigi Auriemma about informing GameSpy of vulnerabilities and getting no answer but a DMCA cease-and-desist. (Apparently GameSpy's lawyers were as excellent as their coders, since Mr. Auriemma lives in Italy and had no intention of coming to the US to be prosecuted, but oh well.)
Ask Eric Corley about simply attempting to publish the DeCSS software code -- in a printed magazine -- in 2600.
Ask former cybersecurity chief Richard Clarke how much traction he got after he told a Boston newspaper that the DMCA needed rethinking, because "I think a lot of people didn't realize that it would have this potential chilling effect on vulnerability research." (Hint: He was out of government in 2003.)
Want to dig into a software program the way we used to dig into a car engine or an unexplored continent? For shame; you're obviously attempting to steal something. In the wake of 9/11 copyright holders and the law-enforcement folk who do their work have managed to turn the "steal something" gripe into "ZOMG TERRORISTS!," but otherwise, we're in the second decade of intellectual curiosity being a pre-crime condition. Meanwhile... need I say more than "China" and "India?"
The new administration doesn't need to plead for better cybersecurity education for the masses; in fact, considering what's passing for "education" on that front these days I'd prefer that education stuck with the basics -- reading, writing, arithmetic, and blowing stuff up with chemistry sets that actually teach something besides "lawyers want to ruin your fun." It needs to put muscle behind the idea of "expanding academic curricula," re-establishing the importance of the freedom to conduct research and to communicate the results without fear of hearing from lawyers for a company that simply doesn't want anyone to know they're shipping vulnerable products. The DMCA is deeply dishonest legislation, and -- as it continues to undermine security research -- deeply dangerous to our future.