Tuesday, May 28, 2013

Dumb Idea Or Dumbest Idea: Letting Companies Use Malware Against Infringers

from the dumbest-ideas-ever dept

We already did a post exploring the ridiculous background and bad assumptions of the so-called IP Commission Report, but we're going to explore some of the "recommendations" of the report as well. In that first post, we noted that the basis, assumptions and methodology of the report were all highly problematic, so it should come as little surprise that the "recommendations" that come out of it are equally ridiculous.

Let's start with the one that has received the most attention: the fact that the report recommends a "hack back" legalization, to allow those who feel their (loosely defined) "intellectual property" has been infringed to "hack back" at those who infringe. As Lauren Weinstein summarizes, this proposal more or less is a plan to legalize malware against infringers. Of course, this kind of idea is not new or unique. It's been around for a while. Almost exactly ten years ago, Senator Orrin Hatch proposed allowing copyright holders the right to destroy the computers of anyone infringing. The specifics here are explained over two "suggestions" that, when combined (hell, or even individually), are somewhat insane for anyone even remotely familiar with the nature of malware. First up, legalizing some basic spyware/malware:
Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.

Some information or data developed by companies must remain exposed to the Internet and thus may not be physically isolated from it. In these cases, protection must be undertaken for the files themselves and not just the network, which always has the ability to be compromised. Companies should consider marking their electronic files through techniques such as “meta-tagging,” “beaconing,” and “watermarking.” Such tools allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event that they are stolen.

Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.
Basically, malware/DRM-on-steroids. As if that will work. Anyone who had even a modicum of experience with DRM or watermarking knows that these things aren't difficult to get around, and are basically a huge waste of time and money for those who employ them. The idea that they might then lock down entire computers if an incorrect file gets onto one seems even more ridiculous. Given how often DRM causes problems for legitimate users of the content, you can imagine the headaches (and potential lawsuits) this kind of thing would lead to. A complete mess for no real benefit.

So, then, they take it up a notch. If bad DRM/watermarking isn't enough, how about legalizing the pro-active hacking of infringers? No, seriously.
Reconcile necessary changes in the law with a changing technical environment.

When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.
Notice how that recommendation gets even more insane the further you read. "Retrieving" info? Okay. "Destroying info on an unauthorized network"? Yeah, could kinda see where someone not very knowledgeable about computers and networks thinks that's a good idea. "Photographing the hacker"? Well, that's going a bit far. "Implanting malware in the hacker’s network"? Say what now? "Physically disabling or destroying the hacker's own computer or network"? Are you people out of your minds?

This isn't just a bad idea, it's a monumentally dangerous idea that will have almost no benefit, but will have tremendously bad and dangerous consequences. Hell, today we already have to deal with a plethora of bogus DMCA takedown notices. Imagine if that morphed into bogus malware attacks or destroying of computers? It makes you wonder how anyone could take anything in the study seriously when you read something like that.

To be fair, the authors of the report say they don't recommend legalizing this stuff yet, but immediately make it clear that something like this is going to need to happen in the future, because "the current situation is not sustainable." Based on what? Well, as we explained in the first post about this report, that's mostly based on the authors' overactive imaginations, rather than anything fact-based.

No comments:

Post a Comment