by Niall Douglas in association with NamesFacesPlaces
This is the second of a series of articles about threats to our industry - not just to the IT contracting industry, but to any part of IT which is indigenous to Europe and most specifically the United Kingdom, which is in my opinion the most vulnerable of the IT industries within the EU.
This article along with others in this series explores the consequences of the draft UK implementation of the European Copyright Directive (2001/29/EC) if the draft were to pass into law as-is. The UK Patent Office is accepting commentary from the public until October 31st 2002 - though it is better if your MP makes the comment instead of you. We shall warn you that the UK Patent Office has a history of ignoring any comments not to its liking, so be prepared that we may have to fight for amendments to the bill in the Commons sometime in Spring 2003.
The EU directive speaks of "technological measures" which guarantee the rights of the copyright holder. Pursuant to this, a protection mechanism such as encryption can be used to make it hard for someone to gain access to the encrypted and thus protected data. The directive is quite clear that attacking any form of protection mechanism should be illegal, much as the US's infamous Digital Millennium Copyright Act (DMCA) does.
However while the DMCA made a felt-tip pen illegal, the EU directive clearly has optional exceptions based on national law and what the implementer feels is reasonable. Unfortunately, the UK draft does not contain an exception for investigating weaknesses in an encryption system.
The great problem with the law as it is currently proposed is that anyone who finds a failing can be criminally prosecuted even if they acted in good faith. For example, if you bought an electronic book key and one day you typed in the wrong key only to find the book opened anyway, you would probably send an email to the manufacturer.
But say what happens if they did nothing. You might feel bad and make your knowledge public to try and pressure the company into fixing the problem. Under the proposed law, that company could then have police sent round who could confiscate your computer (the article used to circumvent the encryption), take you off to prison for a while and probably fine you as well.
Obviously, before long no one would bother reporting security flaws. And certainly there would be no encouragement for the manufacturer to fix their faulty product.
Making it illegal to attack an encrypted product is stupid because most programmers unfamiliar with the difficult mathematics unintentionally implement very poor encryption laden with holes. This is easy to prove - just take a look at the most recent Microsoft security alerts or indeed the list of encryption bugs fixed in Unix or KDE. This author himself has integrated an encryption library into his code and while I consider myself a competent programmer, I will admit I blindly plugged in the code and left the rest to prayer. I certainly don't possess the knowledge to attack encryption and I know exactly one programmer who does.
While I would prefer attacking to be legal and the use of the circumvention for profit to be illegal instead, the EU directive is quite clear that attempting to circumvent with intent must be illegal. However I think that in order to encourage better engineering of encrypted products the UK draft could guarantee immunity to anyone attacking the encryption if they report the failing to the manufacturer at least three months before they make it public. If the manufacturer hasn't taken remedial action with three month's warning, they deserve in my opinion to have a product without any effective encryption and no legal recourse.
This exception could be provided in the public interest, using the provided exemptions in the EU directive.
We should not give incompetent & lazy companies this big stick with which to hide their stupidity and lack of quality control. We have enough shoddy computer software out there already.
25th September 2002