Editorial by Eugene Spafford
CERIAS at Purdue University
August 4, 2000
The biggest threats in the next decade to information security may
not be malicious hackers and viruses. They are going to be bad law,
passed by ill-informed legislators, and pushed by greedy and
unscrupulous commercial interests with lots of money with which to
lobby. Those companies are going to seek to further expand (bad)
law protecting intellectual property, curtailing consumer rights, and
further protecting them from consequence for their production of bad
software.
You don't believe it? If you live in the US, consider the
following scenario:
You buy some shrink-wrapped software for use in your business or at
home. As part of that purchase:
-
you are bound by a license inside the box that you cannot read
until you make the purchase
-
the license can be changed by the vendor simply by posting an
update at the vendor's WWW site or sending you email, and you are
legally bound by the changes
-
you are required to open your firewall to allow the vendor
access to a "backdoor" in the software to allow the vendor to monitor
license compliance and remotely disable the software at the vendor's
option
-
you can be sued by the vendor if you reverse-engineer the code or
protocol to find out exactly what information the software is
collecting and sending out
-
if the software fails catastrophically because of clear and
obvious negligence, you can't sue the vendor
-
if you decide to publish a review of the software noting your bad
experiences, you can be sued by the vendor for not obtaining prior
review and permission by the vendor
Sounds absurd, doesn't it? Impossible, perhaps? Unfortunately not
-- it is currently embodied in state law in both Maryland and
Virginia, and will soon be considered by the state legislatures in
the other 48 states. If a vendor chooses to write any of the
above-mentioned provisions into a software license, state contract
law will allow and support it.
The vehicle for this travesty is UCITA -- the Uniform Computer
Information Technology Act. Ostensibly an update of the Uniform
Commercial Code in each state, the process of drafting the act was
co-opted by some of the largest entertainment and software firms. The result is something that is opposed by a Who's Who of the
computing and consumer-rights milieu -- including the IEEE, ACM,
MPAA, ALA, Consumer's Union, and the FTC. (See
www.badsoftware.com/oppose.htm for an incomplete list of
opponents.) Why is UCITA such a threat when it is so obviously bad for consumers
and the IT industry (and security people in particular)? Mainly
because of the complexity of the issue and the money involved. The
draft act is several hundreds pages of dense legalize that is beyond
the ability of most state legislators to analyze. So, they are
depending on the word of knowledgeable experts to understand the
impact. Unfortunately, the companies that stand to gain the most are
also lobbying the most strongly on this issue. The mantra heard in
MD and VA from these lobbyists was that if the states didn't pass
UCITA then they would not be able to complete for high-tech jobs and
dollars. This is persuasive to legislators who don't otherwise
understand the issues. How would it play in the halls of your state
capitol? So, what can *you* do? Well, first of all, educate yourself about
the issues. Start with Barbara Simon's editorial "Shrink-Wrapping
Our Rights" in the Inside Risks column of CACM (vol #8, August 2000);
also available at
www.csl.sri.com/neumann/insiderisks.html. You can also find
articles about UCITA and its impact at
www.ucita.org/.
Then, you need to communicate with your state legislators about the
problems this law would bring to your state if passed, and your
opinion thereto.
Remember -- the insider threat is not simply from employees. The
software you use may well be the biggest threat, along with its
vendor. What good is security technology when the law doesn't let
you protect yourself?