Sen. Hollings plans to introduce DMCA sequel: The SSSCA

Jeffrey Altman jaltman at columbia.edu
Sun Sep 9 12:47:27 EDT 2001 

The scariest part of this proposed bill is its definition of the term
"Interactive Digital Device":

  The term "interactive digital device" means "any machine, device,
  product, software, or technology, whether or not included with or as
  part of some other machine, device, product, software, or technology,
  that is designed, marketed or used for the primary purpose of, and
  that is capable of, storing, retrieving, processing, performing,
  transmitting, receiving, or copying information in digital form."

This of course applies to all computer software since all programs
operate on data in "digital form".  Since all interactive digital
devices will be required to utilize certified security technologies
this would imply that every protocol used on the internet; every
program that reads/write from disk or from memory or from a CPU
register; will need to have an approved security technology.

Certainly the government is not in a position to develop a security
standard for each an every internet protocol: SMTP, FTP, HTTP, SSH,
TELNET, RSH, LDAP, DNS, ...  Not to mention every Hello World type
program that has ever been developed.  

It is also unclear from the proposed bill what the purpose of the bill
is.  

  "To provide for private sector development of workable security
  system standards and a certification protocol that could be
  implemented and enforced by Federal regulations, and for other
  purposes."

Is this meant to be an add-on to the DCMA to make it easier for
commercial copyright holders to limit the types of devices that can be
built, sold, and used?  This could be done by having the laws specify
the use of standards requiring licensing of technologies that are only
available on a fee per instance basis.  (This would exclude the use of
any open source operating system.)

Is this meant to ensure that appropriate technologies are in all
personal devices (PCs, phones, PDAs, set top boxes, ...) to unsure the
privacy of the data sent and received by their users?  A worthy goal
although I doubt I want the government regulating which protocols and
security standards I can use.

In either case, it seems unrealistic to assume that the government can
regulate this effectively.  Will the government create their own
security standard for each protocol, service, application, computing
architecture, ... or will it simply order the use of standards
recognized by a group such as the IETF?  If the IETF (or a similar
group) where will the funding come from?  I'm sure the IETF does not
want to become a line item in the U.S. budget.

I asked a computer science freshman to look at this proposed bill and
here was his reaction"

  "well from a short look, I like the idea behind it.  I think it would
  be very good if everyone knew when they sent information of any sort
  that it would be secure.  There are two problems I have with it
  though.  One, is that I'm trying to think about the real world
  implications of this bill.  I'm trying to think if it will cause a lot
  of problems integrating these security measures.  Second, I don't know
  if it's a good idea to use one standard for security.  It seems to me
  that once a security standard is made, a few years later, people find
  out a flaw in it, or processing power is good enough to break it.
  Having one standard makes it the target to try and break, whereas if
  there are many different standards, it's less of a risk."

I think that the concerns about end user privacy and identity theft
will lead the vast majority of the public at large to support bills
similar to this even if the end result would be a sharp reduction in
their rights.  Of course, my student also understands that there are
serious implications that have to be considered.  







 Jeffrey Altman * Sr.Software Designer      C-Kermit 8.0 Beta available
 The Kermit Project @ Columbia University   includes Secure Telnet and FTP
 http://www.kermit-project.org/             using Kerberos, SRP, and 
 kermit-support at kermit-project.org          OpenSSL.  SSH soon to follow.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list