Laws and sausages

Rupert Goodwins: The combination of law and commercially dictated security measures is accelerating us towards a dangerously closed world

Traditionally, there are two things where you don't want to know how they're made: laws and sausages. Now modern technology brings us a third: secure computing. The combination of that and legislation is proving exceptionally hard to swallow.

These are worrying times for anyone who feels that between freedom and restriction, restriction is the bigger threat to progress. Increasingly, we've seen stories about American legislation -- most often the Digital Millennium Copyright Act (DMCA) -- preventing researchers into cryptography from publishing their work, and sometimes stopping them from researching altogether.

Let's take some stories from this week alone. MIT student Andrew Huang lost his publisher for "Hacking the X-Box", a book detailing how he'd found out the flaws in the Microsoft console, because publishing similar information on the Web had landed one chap in gaol. Another pair of students were banned from giving a talk about vulnerabilities in a university electronic transactions system -- the makers of the system got the court order to prevent the lecture.

Most worryingly, researcher Niels Provos from the University of Michigan has moved all his research documents and software to a server in the Netherlands. He works in steganography -- the art and science of hiding information in other information -- and is also known for creating honeypots, fake networks of computers that attract hackers. Both of these areas of interest are now illegal in Michigan, under brand new (and practically undiscussed) state law that prohibits software or hardware that 'conceals the existence or source of any electronic communication'. The same law prohibits connecting devices to communications services without the express permission of the service provider.

What does this mean? It means that you can't hang a wireless gateway on your cable modem. You can't plug so much as a video recorder into your cable TV. You can't even plug in a computer -- unless your service provider says so. We're right back in the pre-privatisation days of the General Post Office, when all you could do with your telephone line was plug your GPO telephone in and say thank you: how badly does this affect our rights to use and expand the Internet?

But instead of moves to limit this wave of control and criminalisation, the industry seems keen to encourage it. You may remember Palladium, Microsoft's fuzzily described initiative to lock up the PC architecture. You may remember the Trusted Computing Platform Alliance, TCPA, which was a 200-member group to create a somewhat more open approach to the same thing. Well, the TCPA board of directors (guess who) decided unilaterally to abandon that and set up the Trusted Computing Group, TCG. The old TCPA members weren't consulted about this, but they're welcome to join the new group -- under the new group's rules. Microsoft has said previously that Palladium would become the next version of the TCPA standards -- looks like they found a way to do this without having to OK it with the members.

Or with you. There is no independent consumer or academic input to the TCG. And while eminent cryptographers such as Whitfield Diffie have said that the Microsoft approach "lends itself to market domination, lock-out and not really owning your own computer," and Ronald Rivest -- founder of RSA Security -- has called for full and open public debate, it's hard to see how this can take place when cryptographic research is rapidly becoming criminal, and big companies like Microsoft, Intel, IBM, HP et al are free to impose security standards -- which will be automatically backed up by laws such as the DCMA -- at will.

Oh, and don't think just because we're in Europe, we're safe. The German parliament is within a whisker of implementing an equivalent law, under European Directive 2001/29/EC. We're not behind.

If you really want something to worry about, take a look at your power supply. Five years ago in the US, a security survey of the national power system -- if you can call the American hodgepodge such a thing -- revealed an enormous mess. Power companies LANs were haphazardly interconnected with control systems, passwords were hard-wired into switches by the manufacturers, modems on open lines controlled major equipment. In short, a huge accident waiting to happen. Only now are the Americans pushing together a standard for security compliance, with fines for failure. What's happening in the UK? I don't know. You can search the industry regulator's Web site, and see what you can find. Good luck.

While computer security remains in the hands of commercial interests intent on criminalising and locking their customers into terrified, powerless compliance, the real risks are going unchecked and unremarked.