[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[dvd-discuss] Re: Sen. Hollings plans to introduce DMCA sequel: The SSSCA
- To: "Arnold G. Reinhold" <reinhold(at)world.std.com>
- Subject: [dvd-discuss] Re: Sen. Hollings plans to introduce DMCA sequel: The SSSCA
- From: Jeffrey Altman <jaltman(at)columbia.edu>
- Date: Sun, 9 Sep 2001 12:47:27 EDT
- Cc: Jay Sulzberger <jays(at)panix.com>, Harald Koch <chk(at)pobox.com>, <cryptography(at)wasabisystems.com>, dvd-discuss(at)cyber.law.harvard.edu
- In-Reply-To: Your message of Sun, 9 Sep 2001 10:37:20 -0400
- Reply-To: dvd-discuss(at)cyber.law.harvard.edu
- Sender: owner-dvd-discuss(at)cyber.law.harvard.edu
The scariest part of this proposed bill is its definition of the term
"Interactive Digital Device":
The term "interactive digital device" means "any machine, device,
product, software, or technology, whether or not included with or as
part of some other machine, device, product, software, or technology,
that is designed, marketed or used for the primary purpose of, and
that is capable of, storing, retrieving, processing, performing,
transmitting, receiving, or copying information in digital form."
This of course applies to all computer software since all programs
operate on data in "digital form". Since all interactive digital
devices will be required to utilize certified security technologies
this would imply that every protocol used on the internet; every
program that reads/write from disk or from memory or from a CPU
register; will need to have an approved security technology.
Certainly the government is not in a position to develop a security
standard for each an every internet protocol: SMTP, FTP, HTTP, SSH,
TELNET, RSH, LDAP, DNS, ... Not to mention every Hello World type
program that has ever been developed.
It is also unclear from the proposed bill what the purpose of the bill
is.
"To provide for private sector development of workable security
system standards and a certification protocol that could be
implemented and enforced by Federal regulations, and for other
purposes."
Is this meant to be an add-on to the DCMA to make it easier for
commercial copyright holders to limit the types of devices that can be
built, sold, and used? This could be done by having the laws specify
the use of standards requiring licensing of technologies that are only
available on a fee per instance basis. (This would exclude the use of
any open source operating system.)
Is this meant to ensure that appropriate technologies are in all
personal devices (PCs, phones, PDAs, set top boxes, ...) to unsure the
privacy of the data sent and received by their users? A worthy goal
although I doubt I want the government regulating which protocols and
security standards I can use.
In either case, it seems unrealistic to assume that the government can
regulate this effectively. Will the government create their own
security standard for each protocol, service, application, computing
architecture, ... or will it simply order the use of standards
recognized by a group such as the IETF? If the IETF (or a similar
group) where will the funding come from? I'm sure the IETF does not
want to become a line item in the U.S. budget.
I asked a computer science freshman to look at this proposed bill and
here was his reaction"
"well from a short look, I like the idea behind it. I think it would
be very good if everyone knew when they sent information of any sort
that it would be secure. There are two problems I have with it
though. One, is that I'm trying to think about the real world
implications of this bill. I'm trying to think if it will cause a lot
of problems integrating these security measures. Second, I don't know
if it's a good idea to use one standard for security. It seems to me
that once a security standard is made, a few years later, people find
out a flaw in it, or processing power is good enough to break it.
Having one standard makes it the target to try and break, whereas if
there are many different standards, it's less of a risk."
I think that the concerns about end user privacy and identity theft
will lead the vast majority of the public at large to support bills
similar to this even if the end result would be a sharp reduction in
their rights. Of course, my student also understands that there are
serious implications that have to be considered.
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.