Preventing piracy at the cost of your privacy

cb a o.

The theft of intellectual property (IP) online is a serious matter. A 2011 report by the UK Cabinet Office estimates the value of lost IP to the UK economy at about £21 billion. Until recently the debate was about how to accurately define such losses and whether or not they represent real “loss”.

But, in recent months, the debate has moved on to finding ways of preventing these losses, and even about how to take the fight to those who steal valuable commercial and state IP. Not necessarily the retail products that are so often pirated, but trade secrets such drug formulae or aircraft designs.

I was hopeful then when I started to read a document published this month titled The Report of the Commission on the Theft of American Intellectual Property, because the members of the commission consisted of some big names: Craig Barrett (former CEO of Intel), Michael Young (President of Washington University), Slade Gorton (member of the 9-11 commission), Dennis Blair (former Director of National Intelligence), Jon Huntsman Jr (Governer of Utah) and Deborah Wince-Smith (CEO of Council for Competitiveness).

Much of what this commission writes and proposes has been described before, although they appear to advocate a much more proactive approach. Then, on page 81, towards the end of the document, is a recommendation that I found myself reading several times to ensure I hadn’t made a mistake. It states:

Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means.

To ensure it meant what I thought it did, I read on:

Software can be written that will allow only authorised users to open files containing valuable information. If an unauthorised person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorised user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

Some of what they are proposing can be done using software we have today. In essence this program would be something akin to iTunes, offering access to digital material only by an authorised party (company or government). But beyond opening the said file by an authorised user, the software this commission now proposes would be capable of holding an unauthorised user to ransom by making them go to the police to unlock the machine. Those who develop anti-virus software call it “ransomware”. It is shocking that such an approach would be suggested as means of protecting IP. And beyond the ethical ramifications, there are practical problems too.

To be effective, this software would need to recognise that unauthorised users would not be using authorised software or known machines, and so any disabling mechanism would need to be pervasive. I am confident the anti-virus protection you (hopefully) have on your device would flag such software as undesirable. The only way it could be installed on a computer would be by disabling anti-virus software or installing the program with the operating software.

This opens a whole can of worms. Does this mean that the anti-virus vendors would have to be instructed to ignore certain installations? Will those who provide system software be willing to build in such disabling mechanisms? What about open source operating systems which you could theoretically go into and disable the disabling mechanisms?

We already have an epidemic of ransomware used by scammers. These programs claim you have been visiting inappropriate websites and that you must pay a fine to release your machine. They can be remarkably sophisticated, with localisation techniques working out where you are and displaying logos for police forces that you are likely to recognise. Personalisation and localisation are powerful weapons for scammer as they make their actions look authentic. At least at present one can advise the public that no legitimate software would do this and so when they are presented with such a message it must be malware. Instead, if this recommendation were implemented, it woulc simply make scammers’ job easier.

I can understand the desire to capture information about an event and trace where an authorised copy came from. But, like it or not, some countries have a different attitude to such matters than in the US and the EU. You might be told to contact, for example, a US law enforcement agency even if you were not physically located in the US.

But it gets worse. The report’s authors recommend that this is about supporting “American private entities”. Would properly empowered law enforcement agencies really want to be running such an operation? Would national authorities or local police really want to have the overhead of handling calls or emails from users who have had their machines locked in behalf of private organisations?

This whole mechanism is fraught with danger. I cannot imagine any piece of software, backed by the government or otherwise, will be well received if it has the potential to snoop on your activities online and lock your machine if you do something illegal.

By all means protect valuable digital properties, but this can be done by enabling only truly authorised users to read legitimately distributed material. This means you need to build security that is sophisticated to prevent copying, or to prevent the source from being compromised. State control or corporate control over machines that might “potentially” be used for unauthorised access should not be an option.