[Cryptography] Georgia prohibits vulnerability research

L Jean Camp ljeanc at gmail.com
Thu May 3 15:44:16 EDT 2018 

We can just agree that indeed people should also study policy and law.

On Thu, May 3, 2018, 14:44 R0b0t1 <r030t1 at gmail.com> wrote:

> On Thu, May 3, 2018 at 11:32 AM, L Jean Camp <ljeanc at gmail.com> wrote:
> > Yes, the CFAA has seen quite a a bit of prosecutorial overreach. I am
> sure
> > many of us have at least been threatened. The bill as passed but not year
> > signed into law in GA is worse.
> >
> > This is closer to the Sklyarov prosecution where he did not use a
> > vulnerability rather he presented information about it. That case was
> > prosecuted under DMCA because sharing information about vulnerabilities
> is
> > not now and has never been found to be a violation of CFAA. It is the
> use of
> > vulnerabilities that concerns the CFAA, the investigation to find
> > vulnerabilities and discussions of these were under DMCA, and this law
> in GA
> > covers disclosure of their existence regardless of legitimacy in
> discovery.
> > It is quite problematic.
> >
>
> Hmm. That is what I thought the Georgian bill was about initially, but
> then I kept reading and it looked like a rehashing of the CFAA.
>
> This is an obvious violation of the first amendment, so why does
> anyone care? It will be overturned if it ever passes. I would suggest
> a better expenditure of effort and the attention span of those who
> will listen is the initial court case where the law is tested.
>
> > The DMCA has recently renewed the security research exemption; CFAA does
> not
> > have a formal security research exemption.
> >
>
> Thinking about a "security research exemption" in this way is
> dangerous. I will explain further below.
>
> A research exemption for the CFAA does not make much sense. Would a
> researcher be allowed to break into people's houses for research
> purposes? Would they be allowed to sneak around a military base or
> government building simply because they could get in?
>
> Realize that the CFAA tries to explicitly translate physical property
> law into a form that applies to computers. Knowing this it is easy to
> explain why it was written the way it was written, and why it has been
> applied in the way it has been applied.
>
> > The DMCA still allows CFAA prosecution if the research includes
> unauthorized
> > use. So the DMCA exemption does not remove all CFAA risks, but seriously
> > mitigates these as well as formally removing prohibitions on
> > anti-circumvention in good faith security research.
> >
>
> The DMCA and the CFAA are entirely different areas of law. I am afraid
> I do not understand what you mean.
>
> > This started as a temporary exemption which was then renewed.
> >
> https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices
> >
> > You may find this report a more enjoyable read and it is fairly accurate:
> >
> https://www.techdirt.com/articles/20170625/01312637658/copyright-office-realizes-dmca-fucks-with-security-research-while-w3c-still-doesnt-see-it.shtml
> >
> > The people who worked to make that DMCA exemption happen include the CDT
> and
> > the USACM (the policy arm of the ACM), and to a lessor extent the
> IEEE-USA
> > (similarly the volunteer organization of the IEEE). None of us will be
> > abandoning the fight for better policy in vulnerability disclosure,
> crytpo
> > policy, or standards.
> >
>
> The right to reverse engineer the operation and construction of
> devices is not one which was granted but one which is inherent in the
> rule of law in the United States. It is absurd to think the DMCA ever
> removed it. More likely is that that clause of the DMCA, if ever
> seriously enforced, would be found invalid. And indeed it was
> challenged and changed. The "exemption" was likely a pragmatic move to
> avoid weakening the rest of the act by association with overreaching
> statements.
>
> All of the linked articles make the same critical flaw: that anything
> was given up or that concessions can even be granted. My reading of
> the law seems to make it evident that the majority of the novel
> concepts in the DMCA are simply invalid as they try to overturn longer
> existing and more basic property law.
>
> Please answer this: How can it be said I own something but have no
> right to use it? That is what the DMCA is saying. The parts that do
> not say something to that effect are just duplicating existing IP law.
>
>
> The way the creators of these laws are treated borders on Stockholm
> syndrome. Do not accept their laws simply because they pass. Do not
> compromise with them. Your rights are already guaranteed. A more
> effective call to action would be to request individuals disregard
> these laws and refuse to be bound by them as they are not valid.
>
> > Here, for example, is the short form of the USACM letter, there are
> longer
> > documents which detail the long slog towards this point:
> >
> http://usacmdev.acm.org/images/documents/1201_Short_CommentUSACMfinal.pdf
> >
> > The GA law goes far beyond the DMCA (except if Elcom had lost) and
> certainly
> > far beyond the CFAA which requires actual use of a vulnerability.
> >
>
> The CFAA requires unauthorized use of an information system. If you
> have valid credentials but your access has been revoked, e.g. via
> contract, then signing in would be a violation of the CFAA.
>
> > In any case, the bill HAS NOT BEEN SIGNED  and here is a very nice
> article
> > if you care to oppose it:
> >
> https://www.eff.org/deeplinks/2018/02/how-grassroots-activists-georgia-are-leading-opposition-against-dangerous-computer
> >
> >  "A ping is a felony" has been used in no case of which I am aware, and
> may
> > be rhetorical outreach to match the prosecutorial excesses we have seen
> > under CFAA. This bill in GA would unlikely to make a ping a felony
> either.
> > That is not even on the radar, unless of course it was part of a DoS
> > leveraging ping, which is another bucket of crabs altogether.
> >
>
> Under the CFAA all that matters is the machine operator's attitude
> towards your use of their machine. I do not think it is a stretch to
> consider the generation of an ICMP echo reply packet use. I do realize
> that it may be hard to make a prosecutor care about someone pinging
> your machine, but the CFAA technically forbids unsolicited ICMP echo
> requests.
>
> > There is fairly good material explaining it further in the links while
> > Security Week, tripwire, Microsoft, and Google have letters really the
> grass
> > roots on the ground is what has delayed this bill being signed.
> >
> > As for a ping being felony, this is a  fun if sometimes strident read:
> >
> https://www.amazon.com/dp/B00505UZ4G/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1
> >
> > You might recall the author from the famous MIT LaMacchia rule case.
> >
>
> That is good, but I sincerely hope people start studying the law which
> already exists. It is very informative and has the potential to be
> extremely surprising. There is existing precedent which is simply
> against the text of modern laws which remain unchallenged but tacitly
> enforced. Taking those laws and applying them to more common
> situations can be amusing. E.g., what if someone sold me a lawnmower
> but told me I could not repair it? I'd be concerned about their mental
> health and repair it anyway.
>
> Another good example: Some number of months ago I found out that those
> "warranty void if removed" stickers are invalid under the
> Magnuson-Moss warranty act. I believe this has some pretty far
> reaching implications especially w.r.t. bootloader locking.
>
> Cheers,
>      R0b0t1
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180503/e01d4afa/attachment.html>

More information about the cryptography mailing list