Sunday, October 12, 2014

Don't sign that CFAA petition

This White House petition reforming the CFAA/DMCA is foolish. Don't sign it. We all support the goal of decriminalizing research, but this isn't the way of doing it.

The problem is that "reform" means nothing. It doesn't state exactly which reforms the petitioners want. That means politicians will deliver on what they asked, reforming the DMCA/CFAA, but in the opposite direction. The mood in Washington D.C. is one of great fear of Chinese hackers and cyberterorrists. Once you start reform, these forces will take over and drive it the other way.

In other words, the petition is like somebody on a submarine saying "the air is stuffy, let's open a window and let some fresh air in". It's best to keep that window closed rather than getting drowned.

A second problem is the declaration that "safe code" is the problem. That will encourage law-makers to solve that problem with legislation requiring manufacturers to follow rules -- without needing weaken the DCMA/CFAA. This is bad. So far rule-based security like Common Criteria and PCI certification have proven to be an enormous burden that does little to address the problem.

Lastly, there is the problem that this is a "White House" petition. The president doesn't make laws, s/he enforces them. It's appropriate to petition the White House to publish narrower rules on how DMCA and CFAA will be prosecuted, but inappropriate to ask for a law. Instead, if you want changes to laws, the best place to start is to talk to your congressional representatives. Call them up and schedule a time to talk to them. You'll likely talk to a staffer in a local office, but this will still influence them. Signing a petition takes no effort, and politicians therefore give it no credence. Showing up at their offices, or spending time talking on a phone, takes effort, showing that you really care.

Personally, as a white-hat researcher who scans the Internet, I'm most at threat from the CFAA. Yet, I'm not going to sign that petition. I have talked to my congressional representatives. I have also signed this letter, which much more narrowly defines our goals.

No comments: