Saturday, May 20, 2006

New Computer Laws - Are they too Broad?

Recently, several new bills here in the US and in the EU could have a pretty big impact on the IT security world. Are they too broad? Can we fix them before it is too late? Is it even possible to fix them?

There are hard questions and I don't have all the answer, but here are same of my thoughts on the issue.

1) Dual-Edged Sword - The tricks, skills and tools of the IT security world are commonly called dual-edged swords. Security tools are just that - tools, no different than a gun, a sword, a hammer or a butter knife. We deal with these pretty good in the real world. Cops don't go out into the woods and arrest hunters because they are carrying shotguns. Do they? Intent and context are the true factors that give the law weight. Exploits, like guns, can be used to break into a network...but that same exploit can be used by a security network admin to find a vulnerable server on the network and as a result jump start the protection process.

2) The Grey World - For a long time, I have talked with my friends about the balance of the force in the world. People have the ability to be good or bad, tools have the ability to be used for good or bad. The world truly is Yin and Yang. I am a huge believer in maintaining the balance. Most of the governments in the world are based on the idea and will fail to function without it. If the balance is not maintained, then things start to function in ways that are not desired - Absolute power corrupts absolutely.

So how do we as a world, apply the black & white letters of the law to a world of grey? Very carefully, that is how. It is like a never ending dance...ever changing, ever shaping. What is illegal today could be legal tomorrow...and vice vera. This idea seems very simple when applied to the real world...but it becomes much more cloudy when applied to the virtual world.

We are seeing just how cloudly with these new bills:

1) Possible Update to the UK Computer Misuse Act (CMA)

2) Truth in Caller ID Act of 2006 - this one is pretty good since this trick rarely needed beyond law enforcement....that assumes I am ok with PI's tricking people..umm...I guess so.

3) Issues with the DMCA

4) UK RIP Act - forcing people to hang over encryption keys....

So how do we make objective laws that take into account subjective intent and context? That is a question for the ages, I think.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)