We not only need more cybercops, they need better laws to enforce. 8/03 ReleVents hed: The DMCA is a disgrace dek: We not only need more cybercops, they need better laws to enforce. By James Mathewson
I inadvertently upset several hackers when I wrote my call for cybercops earlier this week. I don’t think it would have upset as many people in any other week. But coming on the heels of the FBI’s witch hunt, which is perhaps best analyzed by Jon Katz on Slashdot, anything in favor of the FBI might seem scandalous.
The witch hunt in question is the arrest of Russian software developer Dimitry Sklyarov, who still sits in jail for plying his craft to demonstrate the weakness of Adobe’s e-book technology. Sklyarov was arrested in his hotel after delivering a demonstration as to the weakness of Adobe’s technology. In effect, he is being held for openly discussing his research, which smacks of First Amendment issues.
Katz rightly criticizes the media for its silence on this sordid affair. Though we covered it three days in a row, here, here, and here, I have not commented on this case in this space. So his criticism hits home, especially when I seemed to defend the FBI on its efforts to find qualified people elsewhere.
In a nutshell, Katz quotes several copyright law scholars that show that the Digital Millennium Copyright Act (DMCA) is in direct violation of constitutional fair-use provisions. One such scholar, Stanford Law Professor Lawrence Lessig, says it best: “[The DMCA] criminalizes what would be legal under existing copyright law, including certain kinds of criticism, speech, and research.” And the law is not just unconstitutional, it is bad for software development, especially security software. Ironically, the DMCA weakens the very thing it is supposed to strengthen. As Katz puts it, “How can weaknesses and flaws in security and encryption programs be discovered if they can’t be shared, discussed, or explored?”
In fairness to myself and our site, I have discussed this problem with the DMCA several times before in conjunction with another case. My view has always been exactly compatible with Katz’s. In addition, I am somewhat optimistic that the DMCA will eventually be overturned on constitutional grounds, even though one judge after another has upheld the law.
Still, some may doubt my commitment to the cause based on my support of counter-hacker efforts. In truth, when I wrote that column, I worried that certain ethical hackers would show their righteous indignation by submitting our site to a denial-of-service (DoS) attack. But I can’t pull my punches in fear of retaliation, and the same can be said for this column. So I will attempt to show that my support of counter-hacker efforts is compatible with my view that many counter-hacking efforts are not only unlawful but are harmful to the counter-hacking cause.
There are good hackers and bad hackers. There are good laws and bad laws. There are good law-enforcement efforts and bad law-enforcement efforts. In general, good hackers are responsible for keeping the Net from disintegrating into chaos. Hacking tools are so pervasive that, were it not for these folks–the vast majority of hackers–we would all suffer immeasurably at the hands of the bad hackers, or crackers.
In general, those who craft laws intending to police the Net have little idea of what they’re doing. The DMCA is the most obvious case. But there are other bad ones. Still, it is and should be illegal to break into computer networks and steal stuff–credit card numbers, private information, etc. There are many other similarly obvious cases of illegal hacking that require law enforcement to prosecute. The problem lies in the vast gray area between obvious illegal behavior and obvious legal behavior that is treated as illegal (such as Sklyarov’s research). I don’t think we can draw a hard line here.
Where do law enforcement agencies draw that line? Given the glut of cybercrimes and the dearth of talent, what do they choose to enforce? This is essentially the problem facing law-enforcement agencies. For example, is it wrong to launch a DoS attack against Nazi propaganda sites? Strictly speaking, it is illegal, but should the FBI prosecute? My view is that this is tantamount to prosecuting certain antigay legislation that is pervasive throughout the U.S.
Cops who are inclined to enforce bad laws when there are plenty of crimes of a more obvious nature are clearly in the wrong. And this is the case facing the FBI. It strikes me that they arrested Sklyarov because it was easy. He was committing his “crimes” in public view. In a sense, he committed civil disobedience in publishing his research. And the FBI deserves plenty of criticism for its role in this case, as it did for its role in prosecuting Martin Luther King and other members of the civil-rights movement. Yet, this takes nothing away from the fact that the FBI needs help prosecuting cases of a more obvious nature. They obviously also need help at the management level in deciding which cases to pursue. And if the higher-ups in the FBI continue to prosecute bad laws and avoid prosecuting good laws, few good hackers will consider signing up for the cause of justice.
James Mathewson is editorial director of ComputerUser magazine and ComputerUser.com.