Editorial by Eugene Spafford
CERIAS at Purdue University
August 4, 2000
The biggest threats in the next decade to information security may not
be malicious hackers and viruses. They are going to be bad law, passed
by ill-informed legislators, and pushed by greedy and unscrupulous
commercial interests with lots of money with which to lobby. Those
companies are going to seek to further expand (bad) law protecting
intellectual property, curtailing consumer rights, and further
protecting them from consequence for their production of bad software.
You don't believe it? If you live in the US, consider the following
scenario: You buy some shrink-wrapped software for use in your business
or at home. As part of that purchase:
* you are bound by a license inside the box that you cannot read
until you make the purchase
* the license can be changed by the vendor simply by posting
an update at the vendor's WWW site or sending you email, and
you are legally bound by the changes
* you are required to open your firewall to allow the vendor
access to a "backdoor" in the software to allow the vendor to
monitor license compliance and remotely disable the software
at the vendor's option
* you can be sued by the vendor if you reverse-engineer the code
or protocol to find out exactly what information the software
is collecting and sending out
* if the software fails catastrophically because of clear and
obvious negligence, you can't sue the vendor
* if you decide to publish a review of the software noting your
bad experiences, you can be sued by the vendor for not obtaining
prior review and permission by the vendor
Sounds absurd, doesn't it? Impossible, perhaps? Unfortunately
not -- it is currently embodied in state law in both Maryland and
Virginia, and will soon be considered by the state legislatures in the
other 48 states. If a vendor chooses to write any of the above-mentioned
provisions into a software license, state contract law will allow and
support it. The vehicle for this travesty is UCITA -- the Uniform
Computer Information Technology Act. Ostensibly an update of the
Uniform Commercial Code in each state, the process of drafting the act
was co-opted by some of the largest entertainment and software firms.
The result is something that is opposed by a Who's Who of the computing
and consumer-rights milieu -- including the IEEE, ACM, MPAA, ALA,
Consumer's Union, and the FTC. (See www.badsoftware.com/oppose.htm
for an incomplete list of opponents.) Why is UCITA such a threat when
it is so obviously bad for consumers and the IT industry (and security
people in particular)? Mainly because of the complexity of the issue
and the money involved. The draft act is several hundreds pages of
dense legalize that is beyond the ability of most state legislators to
analyze. So, they are depending on the word of knowledgeable experts
to understand the impact. Unfortunately, the companies that stand to
gain the most are also lobbying the most strongly on this issue. The
mantra heard in MD and VA from these lobbyists was that if the states
didn't pass UCITA then they would not be able to complete for high-tech
jobs and dollars. This is persuasive to legislators who don't otherwise
understand the issues. How would it play in the halls of your state
capitol?
So, what can *you* do? Well, first of all, educate yourself about the
issues. Start with Barbara Simon's editorial "Shrink-Wrapping Our
Rights" in the Inside Risks column of CACM (vol #8, August 2000); also
available at www.csl.sri.com/neumann/insiderisks.html. You can also
find articles about UCITA and its impact at www.ucita.org/. Then, you
need to communicate with your state legislators about the problems this
law would bring to your state if passed, and your opinion thereto.
Remember -- the insider threat is not simply from employees. The
software you use may well be the biggest threat, along with its vendor.
What good is security technology when the law doesn't let you protect
yourself?
---
All inventions or works of authorship original to me,
herein and past, are placed irrevocably in the public
domain, and may be used or modified for any purpose,
without permission, attribution, or notification.
