http://mail.gnu.org/archive/html/dmca-activists/2003-04/msg00004.html
[DMCA-Activists] Notes from yesterdays' 2743 hearing Date: 03 Apr 2003 18:36:33 -0500 -------------------------------------------------------------------------- ------ I probably mangled some names and missed some points here, but I think I got most of the major points. Yesterday, I went to a hearing for House bill 2743, held by the Joint Commitee on Criminal Justice. Initially present were Representatives Paulsen, Linsky, Hillman, and Vallee and Senator McGee. Showing up later were Festa (10:25), Brian Knuuttila (10:50), Daniel Webster (11:15), and Walter Timilty (12:45). It got very loud outside towards the middle of the morning. Some identity theft issues were discussed before the 2743 speakers started. The plan of the day was to hear supporters of bills first, then those who oppose it. So, at some time after Festa entered, the MPAA rep Amy Isabelle (sp?), a VP of State Legislative Affairs was called. She claimed that the goal of the at was to "Prevent Theft". The MPAA is in Washington today working with electronics manufacturers and consumer groups to fix the drafting of these acts. Other states have already passed them. Then she went on the defensive. She set up the straw man that people claimed that these laws were copyright laws. She claimed that there was an intent requirement, and referred back to earlier (unrelated) comments by the Attorney General's office, which mentioned prosecutorial discression, and stated that the laws wouldn't be enforced against normal uses. James DeRosa spoke against the law's current form because it's overbroad. Rep. Hillman said that he used a router to hook his four computers up to his cable connection, and that his TOS allowed this. He wondered if the act would allow this. He also called back up the MPAA rep, who said that this could and would be fixed. She also mentioned again prosecutorial discression. Linsky wanted to make sure that the acts the law criminalized were things ordinary people would recognize as crimes. Isabelle replied that the act was intended as a deterrent, but couldn't give any specifics. She said that cable experienced 6.5 billion dollars per year in "losses." She said the law was intended to go after people who make cable descramblers. Linsky asked if any new crimes were being added here, crimes that couldn't be covered by existing bills. He mentioned the general larceny statute. Isabelle replied that lawyers tell them that yes, they needed these laws. Linsky said, skeptically, "*your* lawyers tell you." The American Electronics Association was up next. I couldn't catch the speaker's name. He opposed the law because it was too vague, but didn't give many specifics. Roger Dingledine was called. He mentioned that he had written an anonymizing web proxy, and said that it was intended to keep people like Doubleclick from tracking you and selling your information to telemarketers. Hillman said that hacking was a danger, and wondered if these anonymity services would make it harder to track down criminals. Roger replied that he bill actually hurts internet security, and that hackers are already breaking the law and wouldn't be deterred by this law. Then he mentioned his Navy contract and talked in vague terms about Mixminion. I spoke here. My planned speech is reproduced below, but I didn't read from the page, because the senators said that they didn't want to hear that, they wanted to hear personal statements. Written statements could be submitted. I've added to the text below some comments which I added to my actual speech, responding to the MPAA's points. My name is David Turner, and I am a copyright specialist for the Free Software Foundation. The Foundation is 501 (c)(3), Massachusetts non-profit Corporation based in Boston, dedicated to the free dissemination of information. The Foundation opposes House Bill 2743 because of both major provisions of the bill, 166:42B, sections (a) and (b). Section (a) prohibits receiving communication services without the express consent of the communication service provider. This means that you can't use a radio or television without permission from the broadcasters. Nobody is going to tell you that you can't watch TV, but they might tell you that you can't record it, a right the US Supreme Court affirmed in 1984. They might tell you that you can't use your TiVo to pause it while you answer the phone. The Motion Picture Associate of America, primarily through its Copyright Protection Working Group, has already said that it wants to limit these sorts of freedoms. We publish, under our copyright, from our web site here in Massachusetts, a computer program called GNU Radio. It receives radio and television signals, and puts them into a form suitable for processing by computer. You can use GNU Radio to listen to the radio or watch High Definition Television on your computer. And it would be easy to reprogram it to "pause" live radio just like TiVo now does with TV. Under current federal law, this is called time-shifting, and is perfectly legal. But broadcasters are hostile to this new technology, and House Bill 2743 gives them the means to attack it. The MPAA representative has raised a few points which I want to address. First, she points out that the act isn't a copyright law. This is true, which is problematic, because it has no provisions for fair use like copyright law does. Also, she mentioned prosecutorial discression, which doesn't actually help in this case, because there's a private right of action. Finally, the definition of a Telecommunication Service Provider requires that there's compensation. I have a quote, not handy, from AOL Time Warner CEO Jamie Kellner, who said that there was an implicit contract, that you pay for TV by watching the ads. So television definiately counts. We believe that people ought to be allowed to build innovative technology like GNU Radio without interference from the government or media companies. Although I'm too young to remember it, I'm told that people used to be required to rent phones from the phone company. People would get in trouble for using third party phones, and had to pay for each extension. If TV and radio broadcasters have their way, you may have to rent your radio, TV, and VCR from them, or only use "authorized" equipment. And this equipment won't have a record button. We also oppose section (b), but all of the cryptographers here have told you and will tell you about the problems with that. Senator McGee asked me which provisions the Foundation opposed, and I responded that we opposed both (a) and (b). I then asked if he wanted to hear something new about (b), which hadn't been mentioned, and he grudgingly agreed. I replied that (b) says that you can't hide where your communications are coming from, or where they're going. There are lots of reasons you might want to do that. If you're a real estate developer, and you need to buy five plots of land for a development, you wouldn't want your intentions to get out, because the prices would rise. If you're sending email to one of the landowners, you might encrypt it, so that nobody but the landowner can read it. But if the other landowners noticed that someone from a real estate firm was mailing all of their neighbors, they might figure out your plans anyway. This is called traffic analysis. Since many communication systems, such as broadband internet via cable, have little in the way of security, this would be easy and undetectable for a savvy landowner. If you can hide the origin of your mail, you're protected from that threat. Section (b) prohibits this, leaving you at the mercy of hackers. --- Brian Hannum (sp?) opposed the act, because it potentially outlawed VPNs, which are needed for security. Paragraph (b) has no intent requirement. "We just make the software, we don't control how it's used." Also, because each device is a separate offense, the penalties could be huge. He also spoke against (a), because NAT and PVRs aren't authorized by cable providers. Knuuttila asked what the need was for privacy, and didn't mind profiling. On the other hand, he was affraid of criminals. Hannum mentioned the history of poor technology regulation. Then he said that tools ought not to be criminalized. He feared the law's chilling effect, and mentioned that the DMCA had already had chilling effects (he mentioned playing DVDs on Free Software operating systems). John Palfrey, the Executive Director of the Berkman Center came to talk, but in his personal capacity. He was extremely professional, articulate, and passionate. The law has many unintended consequences, and is effectively a special interest law. He mentioned that the MPAA were the only ones there to support it, and their representative didn't even know local laws. He said that the legitimate aims of this law were already covered by the DMCA and Patriot acts. Internet law is a mess, and this law only adds to the confusion. "I don't know everything it criminalizes, but it's very, very broad." And people don't know which acts are legal, and which aren't already. This law would only make that wose. Also, the law would hurt fair use, and legitimate research, and free speech. At the end of his speech, the programmers in the room spontaneously applauded. It was the only applause for the entire day. McGee mentioned that the federal government got Napster shut down. Palfrey replied that yes, current laws work fine. This new law is overbroad. Vallee said that internet security was very important, and mentioned cyberterrorism. He asked how this law would affect security. Palfrey said that yes, internet security was very important, and that this law criminalized common security measures. Callee asked about the recent DDOS attacks on military computers using zombies. He asked if anonymity tools would stop the government from tracking hackers. Palfrey said that it might, but that this was the wrong bill to stop that. The Patriot act is the right bill, and it's already passed. David Carroll spoke next. He was probably the oldest programmer speaking. He submitted the New York Times article mentioned on Freedom To Tinker (http://archive.nytimes.com/2003/03/27/technology/circuits/27basi.html), and said that the technologies mentioned therein were "pretty good anonymity" (laughs from the programmers). He pointed out that, despite anonymizing proxies, the government can still trace communications, because they can cross ISP boundaries. He also said that it was odd to think of content providers as communication service providers. He mentioned that content providers could control the tools used to view content, and that this hurt interoperability. Finally, he pointed out that you might not be able to figure out what spyware was sending, since it was providing a communication service. He said that the DMCA has an exception for this, but 2743 doesn't. There was a long break from 2743, while the rest of the people present were called to speak. After the non-2743 speakers, David Martin was called. He's an assistant professor of computer science at UMass Lowell. He pointed out the unintended effects of the law, saying that some of his assignments in his security classes could violate this act. He was also concerned about the intended privacy implications of the act. About 88% of Internet users were concerned about internet privacy. He mentioned identity theft, going back to a topic which had been discussed earlier in the day (about unrelated bills). He mentioned Safeweb, an anonymizing proxy which got 3 million hits per day while it was alive. It was funded by the Voice of America. He was also concerned about concealing the locations of his communications because it might not be technically feasible. "Most people think of communication as person to person. But computers talk to computers, and users may not know where their messages go." Also, Carnivore could be used to catch criminals who use these services. Nick Mathewson mentioned that human rights workers, abuse victims, and whistleblowers have a need for anonymity. He was also concerned about ESMTP, NAT, and VPNs. He mentioned location-hidden servers, which would resist attack. He said that sure, some privacy services can help criminals, but so do cars. "We can't build a privacy service which doesn't shelter some criminals any more than we can build a car which can't be used as a getaway car." The existing law enforcement system does work, hackers are in jail. Hackers will only be helped if we can't use these systems -- it won't stop them from using them. He also went back to the lack of intent requirements in (b) and (d). Representative Vallee stepped in here, and said that he wanted to hear original, personal stories. He was tired of hearing the same thing over and over again. Thomas Bolioli (sp?) said the law was overbroad, and that network protocols were layered, and it wasn't clear at what layer this stepped in. He also mentioned that, despite what the MPAA rep said, there were no intent provisions in the Michigan bill. Ravi (long south indian name which I didn't catch) wasn't a security expert, but used security tools. He has to use crypto for his job. This bill is a symptom of the technology legislation mindset that to regulate new technology, old definitions simply need to be expanded. He said that instead, new technology must be considered on its own merits. Derek Atkins addressed Knuuttila's point that he didn't need privacy, by asking if his kids needed privacy from stalkers. He was worried about technology regulations because technology doesn't know about intent, and can be used for good or evil. He also mentioned general freeedom of anonymous speech. Finally, he said that security discussion is important because the bad guys already know the bad stuff, and the good guys need to be able to talk about how to stop attacks. Dan Barret described the technical people as "canaries," the first sign that something was wrong with the law. But if passed, it would hurt everyone. He mentioned that printing the NYT article earlier might violate the act by retransmitting communications services without permission. He said that technology people were very angry about this. McGee noted that the MPAA representative had already left, and that the technical people had stayed, showing their devotion. Scott Ananian, a MIT grad student and DMCA protester noted that the "plans" forbidden by the act are simply speech. Security papers are full of plans for exploits, and security researchers and system administrators need to have access to these to stop them. Then he made the almost certainly nonsensical claim that the law would stop law enforcement from posessing these tools, even when they were evidence in crimes. Michael Bower said that anonymous speech was a free speech right, so (b) was bad with or without an intent requirement. He described the old history of anonymous speech, including the Federalist Papers but not McIntyre. He also said that spam was part of this, and was protected. He said that protestors and other controversial speakers needed anonymity, and pointed out that it was a way for speakers to focus listeners' attentions on the message, not the speaker. Matthew Morse said this was special interest legislation, that cable was one-to-many communication, while the internet was two-way. He was worried about all the laws the media companies are trying to pass, trying to turn the 'net into a one-way medium. Rachel (didn't catch last name), a biologist, said that everyone needed privacy, and that technology regulation in general is harmful, because it hurt interoperability and market competition. _______________________________________________ http://www.mccmedia.com/mailman/listinfo/brin-l
