I am asking the board to enact a resolution opposing legislation to implement the WIPO (World Intellectual Property Organization) treaty as it is currently written. I've divided this memo into four parts (brief overview of the treaty, summary of specific objections, proposed resolution, and sources of additional information).
I'd urge the earliest possible action on this. According to an article in the trade press in very late June, a committee vote, previously postponed, is anticipated in late July.
I would like to thank Tim Plas for doing the lion's share of the work in pulling this information together. Much of the information is liberally quoted from known and respected security experts, in particular but not exclusively the developer of NTBugTraq (Russ Cooper R.C. Consulting, Inc. NTSecurity@listserv.ntbugtraq.com). Particulars have been verified from multiple sources.
The WIPO treaty has the very appropriate purpose of strengthening protections of intellectual property (ie - copyrights). As with any treaty, the US Senate must ratify the treaty, and then both houses must pass enabling legislation, putting the terms of the treaty into law. We are now at the enabling legislation stage.
To quote from Russ Cooper:
The WIPO Copyright Treaty, in and of itself, is not the problem. Dr. Kamil Idris, Director General of the World Intellectual Property Organization states himself, in his welcome message, that the mandate of the WIPO includes;
- that the progress of humankind, in the widest sense, rests upon its capacity to advance ever further in the areas of technology and culture;
- that any such advance, be it by means of invention or artistic work, represents an "intellectual property";
- that whoever originates or legally owns such a property deserves the right to protection under the law against its unfair use (for example, counterfeiting or piracy) by others;
- that by ensuring such legal rights, others will be encouraged to expend time and resources on attempting to make other advances.
based on the WIPO treaty proposed and signed in Dec. '96;
At the essence of Chapter 12 of this Act is the issue of Copyright Protection Measures Circumvention. Many have interpreted this to mean reverse engineering of software or hardware, or analysis of cryptographic implementations.
The legislation can quite reasonably be interpreted to say:
1. It is illegal to test, debug, or analyze software for any purpose other than integration with an independent work you are creating.
If NT crashes for some reason, you cannot do these things using any method other than those supplied to you by Microsoft (or methods they approve specifically, such as something a support engineer might prescribe). Assuming you could not boot your machine, your system must stay down until such time as MS can help you fix it.
2. It is illegal to perform penetration testing.
Doing so might lead you to discover some aspect of the operation of the copyrighted software, which would then be considered a violation of this law. Its interesting that recently a multi-million (if not billion) dollar industry has evolved doing just this. This law will make all such applications illegal (Like the ISS Scanner, or others).
3. It is illegal to do intrusion detection.
The law prohibits you from interfering with the transmission of a copyrighted piece of work. So if John.A.Hacker puts a trivial copyright notification in his program that performs a Denial of Service attack on your network, you cannot interfere with its operation. As long as this attack is not targeted at a specific copyrighted piece of work (e.g. NT, or Win95) but at the network itself (e.g. a syn-flood attack), John.A.Hacker is not violating the law himself.
Should you attempt to analyze the attack, say to discover just who it was that shut your network down for a week, you would be violating their copyrighted work.
4. It is illegal to interfere with Cookies.
Cookies represent a component of a web application, and as such, are covered under the protections offered by this law. Therefore, if you are able to receive cookies but chose not to, you are interfering with the copyrighted work in transmission.
Of course this would also apply to any client-based agent that the site may wish to download to your machine to collect information about what applications you have installed. Any method of data collection that can be instigated by a connection to a copyrighted application must be allowed to perform its normal operations. Tampering is illegal.
5. Firewalls, or anything that Proxies transmissions and alters the contents, can be construed as illegal.
If all you want to do is ensure your employees are going to productive business related sites, sorry, you are tampering with the copyrighted application's capabilities. Not only can you not alter outbound, but if you alter, filter, restrict, inbound transmissions, you are again violating the law. So if you strip JavaScript out of a web page, or take a virus out of an email, you have violated this law. Not to mention the fact that the logs of such devices, like Firewalls, are, in themselves, a violation of the law. Information contained in such logs may sufficient disclose the copyrighted process used by a "work", and as such, cannot be disseminated. Of course Firewall vendors will be required to implement mechanisms to prevent the dissemination of their logs as the law compels a vendor who makes a product that might violate the copyright of another vendor to take appropriate steps. All Firewalls will end up like Microsoft's Netmon network monitor, unable to display passwords or anything that might be considered copyrighted material.
>From DFC:
6. Reduce Parental Control Over Access to the Internet. Section 1201(a)(1) also would make it illegal for parents to use programs to determine whether their children have visited on-line pornographic websites if the software would circumvent a technological protection measure used by a pornographer to block access to such information. Perhaps not surprising, the Home School Legal Defense Association (writing on behalf of 600,000 home school families) has advised Mr. Armey and other Members of the leadership that it opposes the bill because it would make it "more difficult for parents to monitor the on-line activities of their children. . .
We oppose HR2281, the WIPO treaty implementation act, as currently written. While supporting the intent of the WIPO treaty to protect intellectual property rights, we believe that the enabling legislation has significant problems. In particular, we oppose Chapter 12 provisions which are designed to limit the ability of I.T. professionals and end users to ensure the functional integrity of their own systems.
I would in particular urge you to review the DFC page, which deconstructs Chapter 12 section by section and explains the problems with each section. I also personally have a high level of respect for the opinion of EFF on this issue (conflict of interest note - I happen to be a dues paying member of EFF, although non-participating).
Note that I am not specifically endorsing HR3048, one alternative piece of legislation. Although EFF, EPIC, and others have endorsed this alternative, we havent had the opportunity to thouroughly evaluate it. Therefor, we chose only to recommend opposition to the bad legislation.
Last Updated July 15, 1998