License to Hack
By FRANK HAYES
JULY 08, 2002
There are bad ideas, and then there are really awful ideas. Example of a bad idea: the proposed uniform state law called the Uniform Computer Information Transactions Act (UCITA), with its "self-help" provision that lets vendors remotely sabotage software you've bought if they believe you're not conforming to their license terms. That one is such a stinker that three states have actually outlawed UCITA provisions from being enforced.
And a really awful idea? Try legalizing malicious hacking.
That's what a Los Angeles congressman named Howard Berman has in mind. He's proposing a federal law that would let copyright holders use "technological self-help measures" against peer-to-peer networks like Kazaa, Morpheus and the now-moribund Napster in order to fight piracy of their copyrighted material.
What kind of "self-help" would be legalized? Spoofs, redirection, file blocking, decoys, interdiction and, oh yeah, actually breaking into servers to plant malicious code.
And what if a copyright holder causes additional damage or attacks the systems of someone who isn't actually misusing their copyrights? Berman's bill would protect them from being arrested or sued.
Now let this sink in for a moment: This law is a license to hack, and hack maliciously - without any further government approval, without a court order, entirely at the discretion of the copyright holder.
This is a terrible idea. Full disclosure: I've got no use for peer-to-peer networks where music and movies and software are pirated. My own copyrighted work has been ripped off on the Internet. My friends include the owners of several tiny music labels who hate the music-stealing networks with a passion and rejoiced when Napster went down. So I'm in a position to benefit from this license to hack.
But I repeat: It's a truly awful idea. And not just because it would give a little moral justification to every overgrown juvenile delinquent who believes that "if it's OK for big movie studios to break into someone else's computer, then it's OK for me, too."
It's also a bad law for us because even though it's aimed at peer-to-peer outfits like Kazaa and Morpheus, the next target will be corporate IT.
Face it, there's no way to write a law that's sure to include all peer-to-peer pirates without defining things very broadly. So any copyright holder who's got a beef with any organization whose networks may be used to violate copyrights could claim this license to hack.
So if some software vendor decides your company might have unlicensed software on its network - whether that's true or not - the vendor could break into your servers and rummage around. After all, the software vendor is a copyright holder, and that server is on a network.
Sound crazy? Remember, Berman's idea is to leave this all to the discretion of the copyright holder. And some copyright holders are notorious for believing their rights extend far beyond what any court or lawmaker has ever approved. For software makers who want to have you in a hammerlock, this is like UCITA on steroids.
And what if a competitor suspects you've acquired some of its copyrighted proprietary information? (Remember, the suspicion doesn't have to be true.) Does anyone think some companies wouldn't jump at the chance to hack into their rivals' networks legally, no matter how flimsy the pretext, and "self-help" themselves to whatever they can find?
Berman says copyright holders are at a disadvantage against peer-to-peer pirates. That's absolutely true. Crooks always have an advantage - they don't obey the law.
But the legal system shut down Napster for copyright infringement. That's the way to go after other peer-to-peer pirates too.
There are already too many malicious hackers out there threatening our systems. Making any kind of electronic sabotage legal is a really, really awful idea.
Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at firstname.lastname@example.org.