[e-privacy] (fwd) [risks] Use a Firewall, Go to Jail

Anonymous cripto at ecn.org
Wed Apr 2 07:38:59 CEST 2003 

-- forwarded message --
Message-ID: <c10eddeeea0487d8956e2cc365ceac6e at dizum.com>
From: Nomen Nescio <nobody at dizum.com>
Newsgroups: alt.privacy.anon-server
Subject: [risks] Use a Firewall, Go to Jail
Date: Tue,  1 Apr 2003 15:00:01 +0200 (CEST)
Lines: 127
Comments: This message did not originate from the Sender address above.
	It was remailed automatically by anonymizing remailer software.
	Please report problems or inappropriate use to the
	remailer administrator at <abuse at dizum.com>.
Mail-To-News-Contact: abuse at dizum.com
Organization: mail2news at dizum.com


Originally from:  RISKS List Owner <risko at csl.sri.com>
Original Subject: [risks] Risks Digest 22.66
Original Date:    Tue, 1 Apr 2003 0:45:46 PST

========================== Forwarded message begins ======================

RISKS-LIST: Risks-Forum Digest  Tuesday 1 April 2003  Volume 22 : Issue 66

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Date: Fri, 28 Mar 2003 15:36:25 -0500
From: Monty Solomon <monty at roscom.com>
Subject: Use a Firewall, Go to Jail

http://www.freedom-to-tinker.com/archives/000336.html

March 26, 2003
Ed Felten, Use a Firewall, Go to Jail

The states of Massachusetts and Texas are preparing to consider bills that
apparently are intended to extend the national Digital Millennium Copyright
Act. (TX bill; MA bill) The bills are obviously related to each other
somehow, since they are textually similar.

Here is one example of the far-reaching harmful effects of these bills. Both
bills would flatly ban the possession, sale, or use of technologies that
"conceal from a communication service provider ...  the existence or place
of origin or destination of any communication".  Your ISP is a communication
service provider, so anything that concealed the origin or destination of
any communication from your ISP would be illegal -- with no exceptions.

If you send or receive your e-mail via an encrypted connection, you're in
violation, because the "To" and "From" lines of the e-mails are concealed
from your ISP by encryption. (The encryption conceals the destinations of
outgoing messages, and the sources of incoming messages.)

Worse yet, Network Address Translation (NAT), a technology widely used for
enterprise security, operates by translating the "from" and "to" fields of
Internet packets, thereby concealing the source or destination of each
packet, and hence violating these bills. Most security "firewalls" use NAT,
so if you use a firewall, you're in violation.

If you have a home DSL router, or if you use the "Internet Connection
Sharing" feature of your favorite operating system product, you're in
violation because these connection sharing technologies use NAT. Most
operating system products (including every version of Windows introduced in
the last five years, and virtually all versions of Linux) would also
apparently be banned, because they support connection sharing via NAT.

And this is just one example of the problems with these bills. Yikes.

UPDATE (6:35 PM): It's worse than I thought. Similar bills are on the table
in South Carolina, Florida, Georgia, Alaska, Tennessee, and Colorado.

UPDATE (March 28, 9:00 AM): Clarified the paragraph above about encrypted
e-mail, to eliminate an ambiguity.

Posted by Edward W. Felten  

  [Moderator's note:  This item is NO JOKE, despite the date of this issue.
  Check out the thread that is occurring subsequent to Ed Felten's message:
    http://www.freedom-to-tinker.com/archives/000336.html
  as well as the next two messages in this issue, from Steve Bellovin and
  William Allen Simpson.  PGN]

------------------------------

Date: Fri, 28 Mar 2003 19:08:42 -0500
From: "Steven M. Bellovin" <smb at research.att.com>
Subject: Re: Use a Firewall, Go to Jail

After reading the full text of the Texas bill 
(http://www.capitol.state.tx.us/data/docmodel/78r/billtext/pdf/HB02121I.PDF),
I think it may be even worse than Felten portrays it.

First, a number of people have claimed that the bill isn't a problem, 
since it only applies if you intend to harm or defraud an ISP.  I don't 
think that that's the case.

Section 2 of the billl, which does contain the phrase "with the intent to
harm or defraud a communication service", bars theft of service.  (I'm 
speaking loosely here; read it for yourself.)

Section 4 also contains that phrase; it bars possession of devices for
defrauding providers.  (The language is very broad, and seems to bar
possession even a computer or modem if you have evil intent.)

The ban on concealing origin or destination is in Section 6.
That section does *not* have the "intent to harm" phrase.  Given that 
the bill is amending three consecutive sections of the state penal code 
(31.12, 31.13, and 31.14), and given that the first two sections have 
that language but the third doesn't, it's hard for me to conclude that evil 
intent is required by the proposed statute.

But it's worse than that:  the bill bars concealment of "existence or 
place of origin or destination of any communication" from "any lawful 
authority".  In other words, it would appear to outlaw many forms of 
cryptography or steganography, or anonymous remailers.  (As an aside, I 
would note that the constitutional justification for easy law 
enforcement access to source and destination address information via the
pen register statute is flimsy at best -- see my analysis at 
http://www.research.att.com/~smb/talks/Wiretaps/index.htm)

Even Web proxy servers and the Ethernet connectivity from many hotels
would be covered by this bill -- they obscure the origin, too.

What's unclear to me is who is behind this.  Felten implies it's content
providers trying for a state-level DMCA; I think it's broadband ISPs who are
afraid of 802.11 hotspots.  In fact, if the "intent to cause harm" phrase
were added to that section, it would clearly criminalize behavior that some
ISPs are trying to ban today via their terms of service.

Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com

------------------------------

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-request at csl.sri.com> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomo at CSL.sri.com .

========================== Forwarded message ends ========================

-- end of forwarded message --

More information about the E-privacy mailing list