If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.
I love reading [Cory Doctorow], he’s a great futurist and books like Down and Out in the Magic Kingdom have really affected the way I think about the world. It’s no surprise that he has his finger on the pulse of where our “future” tech is right now. This is a picture of the Internet of Things: smart homes and devices you can talk to. But this future comes with the cost that we are surrounding ourselves with devices that are always listening and always watching. How do you know when that listening and watching is being misused? This depends on the security of the device and your ability to know how access and data are being used.
The Inkjet Business Model
Devices are being sold as a platform that is intended to be completely controlled by the manufacturer. They can continue to monetize the device by selling add-ons and controlling who can build accessories for the platform. But it goes much further than that, the manufactures are also building ways to remotely shut down devices and further control how you use them.
One of the best examples of this is sub-prime car lending. These types of agreements can include where you’re allowed to drive the vehicle, and if you go out of bounds an ignition interlock can remotely disable your car. [Cory] carries this concept forward by citing [Hugh Herr], who uses an amazing set of robot legs (check out this TED talk if you haven’t already). These legs cost as much as a house… what if your creditors decide to shut down your legs?
Another example [Cory] cited was the John Deere tractor story we covered in May.
DRM and the DMCA
The side-effect of the Inkjet Business Model is that manufacturers want do defend their ability to enforce the business practice and the method that’s long been in use is Digital Rights Management, or DRM. At its core this is the ability for a device to verify that the content being used on it is authorized by the manufacturer. Inkjet is a perfect example as there was a landmark court case where Lexmark sued an inkjet cartridge refill company who was resetting the chip in the cartridge that indicated it was out of ink.
The idea of DRM was codified in the 1998 Digital Millenium Copyright Act or DMCA. The key provision of this law is DMCA 1201 which deals with Anti-Circumvention. This makes it crime to break a lock that is protecting any copyrighted material, and the penalties are severe: 5 years in prison and $500,000. One of the key provisions of this bill is that it shifts the cost of enforcement onto the government; companies don’t have to pay to litigate against anyone who violates the DMCA.
The penalties are a huge deterrent. But this has an unpleasant side-effect. There is no allowance for security research. Which means that if you find a vulnerability and disclose it you are breaking the law. Let me repeat that… if you disclose a security vulnerability (privately) to the company that makes the hardware you are breaking the law. This makes our system fundamentally insecure by strongly disincentivizing anyone other than criminals from finding — or at least reporting — security flaws.
This is well-outlined in the Electronic Frontier Foundation’s report: Fifteen Years under the DMCA.
We Can Solve This
It is unlikely that the DMCA is going to be fixed in congress, so [Cory] and his colleagues at the EFF have a plan to fix this. They want to kill DRM worldwide in the next 10 years and we couldn’t agree more with the plan. He also makes the case that killing it in the United States will likely kill it worldwide as this legislation has been pushed on other nations in what he calls “a suicide pact”.
Security researchers are breaking DMCA 1201 all the time. Disclosing vulnerabilities means the companies are pressured to fix them lest they be liable for security breaches that use those attack vectors. Removing DRM will make it legal to report vulnerabilities, leading to a more secure world where we can have our futuristic cake and eat it too.
Check out the EFF website on ways you can get involved. This can be talking about your experiences with security research, telling others about this important work, or donating time, talent, or treasure to the effort.