Sunday, July 14, 2013

Thanks EFF for outlawing code

The EFF has been at the forefront calling cyberweapons "unethical" and "dangerous". As a result of such rhetoric by the EFF and many others, the next NDAA (National Defense Authorization Act for 2014) will likely contain provisions to regulate cyberweapons. The text of the law is at the bottom of this post.

This demonstrates the Orwellian nature of EFF's populism. They don't stand for principle but for popularity. They abandon their principle that the Internet is sovereign when they promoted Net Neutrality. They abandon their principle that code is free speech by suggesting that some code needs to be regulated.

The text of the NDAA, below, calls for the president to implement export controls on code:

 SEC. 946. CONTROL OF THE PROLIFERATION OF CYBER WEAPONS.
(a) Interagency Process for Establishment of Policy- The President shall establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and such other means as the President considers appropriate.
(b) Objectives- The objectives of the interagency process established under subsection (a) shall be as follows:
(1) To identify the types of dangerous software that can and should be controlled through export controls, whether unilaterally or cooperatively with other countries.
(2) To identify the intelligence, law enforcement, and financial sanctions tools that can and should be used to suppress the trade in cyber tools and infrastructure that are or can be used for criminal, terrorist, or military activities while preserving the ability of governments and the private sector to use such tools for legitimate purposes of self-defense.
(3) To establish a statement of principles to control the proliferation of cyber weapons, including principles for controlling the proliferation of cyber weapons that can lead to expanded cooperation and engagement with international partners.
(c) Recommendations- The interagency process established under subsection (a) shall develop, by not later than 270 days after the date of the enactment of this Act, recommendations on means for the control of the proliferation of cyber weapons, including a draft statement of principles and a review of applicable legal authorities.



Update:

The EFF article I link to above is at https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate. It doesn't explicitly say "0day must be regulated", but it's hard to read that post to mean anything but that.

The EFF article calls the 0day market "a dangerous but largely underreported problem". In the middle is this paragraph:
The existence of a marketplace for such transactions does not legitimize the practice, and security researchers should never turn a blind eye to their ethical responsibility to help improve technology. We should help ensure the Internet promotes freedom and safety, and is not a system to control and oppress.
The last line strongly sounds like a call to regulate code.

Another paragraph from that same EFF post is:
A good cybersecurity discussion would address this issue head-on. If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal.
Again, a reasonable person would infer that this mention of bills, directions, and policy is a call to regulate.








5 comments:

Anonymous said...

Oh, I wonder if we are going back to the good ol days (that I'm too dang young to have experienced) of crypto being illegal for export if it is above a given strength. Theoretically, you could extend this law

That second clause, good god. I mean, it screams that no one except the government has any right to bear cyber arms. OH but wait, not just the government, but the corporations that pay for the privilege of being able to use such things in their own defense. So, Americans have no right to defend themselves but corporate entities do? Welcome to the plutocracy, shut up and enjoy your stay.

Now, I'm not even an American but this makes me sick to the core that old, rich men are allowed to do such things by the rest of America. But that's democracy for you: concentrate all the popular stupidity in one place. Perhaps the philosophes were right, enlightened despotism is the right way?

Anonymous said...

Net Neutrality is a requirement of a truly sovereign Internet. To say otherwise is to through your lot in with those sorry fools who complain when those who preach tolerance don't take head of the backwards and bigoted who preach intolerance.

Anonymous said...

And yet they're the only org in the field that continues to stand up against overbroad export regulations... https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment

Anonymous said...

I think it's a lot less cut-and-dry than you make it out to be.

Based on the first quote, it looks like they're stating that there is a problem, not proposing a solution (yet).

The second quote sounds like they're for regulating the use of exploits, not the distribution.

It sounds like you've already made your decision on this matter before considering the evidence.

lnxwalt said...

As one commenter already noted, without Net Neutrality, the Internet comes under the control of the corporations that own the "last mile" wires into our homes and businesses. In effect, it becomes "ComcastNet" or "VerizonNet".

Secondly, looking at the links you posted, the EFF has not called for anything like what you've accused them of. Perhaps you are reading through lenses of your own preconceived ideas. If you remove those lenses, you may have to issue a retraction.