Security UPDATE, Web exclusive, June 25, 2003

1. In Focus: Legalizing "Hacking Back": A Comedy of Errors

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

You might have heard about the comments that US Senator Orrin Hatch of Utah made about fighting copyright piracy. In brief, Hatch advocates using Trojan horse technology to destroy the computers of people who are thought to have pirated copyrighted works more than twice.

Hatch's sentiments echo ideas that those with vested interests in the entertainment industry have voiced before. He believes that we might find better ways to stop piracy. However, if stopping piracy takes destroying computers through Trojan horse code, he's for it. I think that the vast majority of you will agree that Hatch's ideas go against the ideals of democratic society.

Such "hacking back," a form of vigilantism, involves several problems. First of all, catching and punishing criminals is work for law enforcement and judicial systems, not copyright holders. In addition, we currently have no way to determine from a remote location who's actually using a computer or how serial violations might occur.

For example, one person could use a public computer, perhaps at a library or Internet cafe, to download files. If that person inadvertently or unknowingly downloads copyrighted data that wasn't authorized for public distribution, that's one strike against that computer. A second person might later make the same error. Under the ideas that Hatch supports, if a third person downloads copyrighted data not authorized for public use, the injured entity could destroy that computer with a Trojan horse, which the entity would probably launch from a remote location. Meanwhile, the library or Internet cafe would suffer a significant loss for something it did not "do."

The idea makes little sense. I'm sure Hatch meant well in acknowledging software piracy as a serious problem; however, he doesn't seem to understand the underlying technical implications of this form of prevention. People have pointed out that destroying a computer used to download pirated material is akin to destroying the engine of a car because police caught the driver speeding in that car too often. The idea is to produce a financial loss in retaliation for a financial loss, but it amounts to punishing an inanimate technological object for the acts of its operators.

The timing of Hatch's statements was rather ironic. According to a "Wired" report \[http://www.wired.com/news/politics/0,1283,59305,00.html\], at the time the statements were made, Hatch's Web site was using unlicensed copyrighted JavaScript code to facilitate its menu system. (A notice posted on Milonic Solutions' Web site \[http://www.milonic.co.uk/menu/\] states that the license issue with Hatch's Web site has been resolved.) If Hatch's ideas became law, the computer running his Web site could have been destroyed and Hatch, a lawmaker, denied due process. I seriously doubt that he would have appreciated that.

According to "Wired," the JavaScript code on Hatch's Web site belongs to Milonic Solutions, whose menuing-system code was (at the time of this writing) being used without license across large parts of Continental Airlines' Web site. Furthermore, according to Milonic Solutions, someone had stripped all copyright notices from the menuing code Continental uses. Imagine the impact if a Trojan horse were legally unleashed to destroy Continental's computers. Make any sense to you?

Many copyright holders need a way to better control unauthorized duplication of their works. But using Trojan horses to destroy computers isn't a good answer. Microsoft's Digital Rights Management (DRM) technology might help when it comes to certain types of data. But if someone really wants to pirate copyrighted materials (e.g., code, multimedia, documents), current computer technology--including DRM--simply can't prevent that piracy 100 percent of the time. Quite a dilemma.