Sohliloquies

Logo

I'm a security engineer with a lot of side projects, most of which find their way here. I like to center my research around computer security, cryptography, Python, math, hard problems with simple answers, and systems that uphold their users' values.

You can also find me on Twitter.

20 February 2016

You Can't Legislate Reality

For thousands of years, geometers tried in vain to square the circle -- a task which, in 1882, was mathematically proven to be impossible. A result like this isn't really something you get to debate the specifics of. They call it "proof" for a reason.

That's part of what made the 1897 proceedings of the Indiana General Assembly so bizarre -- because it was there that lawmakers tried to pass a law declaring the problem solved. The bill might well have been passed by the senate, were it not for the intervention of a visiting professor.

This incident is one instance of a theme which recurs whenever legislature collides with math or technology. The legal system just can't seem to wrap its head around how science works. Many are inclined to see malice in this tendency -- a sort of deliberate commitment to backwardness, a gleeful embracement of that which is known to be wrong. Tempting as this is, it's a good rule of thumb never to attribute to malice that which is adequately explained by stupidity.

What that rule of thumb fails to capture, though, is that many cases have plenty of room for stupidity and malice.

In the instance of Indiana's Pi law, the ignorance of certain groups within the legislature was maliciously exploited to feed the egotism of the bill's author, an amateur mathematician trying to make his reputation "solving" impossible problems.

In the instance of the Scopes trial, the scientific illiteracy of certain parties involved was exploited to the benefit of evangelical religious fundamentalists with a well-established track record of using legislation in legally dubious ways.

And in the instance of many recent legal cases concerning copyright, patent law, digital rights management (DRM), intellectual property, cryptography, and hardware design, the ignorance of the legislative and judicial systems on technical matters has been (and continues to be) exploited by avaricious and sometimes malicious vested interests in both government and industry, who use their leverage to advance profoundly antisocial ends.

Cory Doctorow argues compellingly in his recent book, Information Doesn't Want to be Free, that modern attempts at digital rights management (which he refers to using a more general term, "digital locks") are not only futile but also harmful to everyone involved. The essential problem (and here I do Doctorow a great disservice by trying to briefly summarize some of his main points; really, his treatment of the topic is second to none and I can't recommend that book highly enough) is this: What digital rights management schemes try to do is to provide a user with access to a technology, but only for certain purposes -- which, to put it bluntly, is just not possible.

Computers are copying machines. They are very good at copying data, and they can do it at virtually no cost. If you can watch a movie on screen, what's to stop you from telling your display to quietly, in the background, record everything it's displaying? Likewise for audio: once this data is in the user's hands, the users can do what they want with it. This shouldn't be a surprise: Computers are general-purpose, so this sort of flexibility is in their very nature.

All sorts of "solutions" have been proposed. Many devices now ship with purpose-built hardware meant to take control of a computer away from its user for the sake of giving manufacturers and content distributors stronger DRM controls.

Sony, never one to favor such above-the-board approaches, for some time had a standard practice of installing a backdoor rootkit on literally every computer that played one of their CDs, just so they could regularly check up on the user and make sure you hadn't violated copyright. Read up on how that thing worked -- it's seriously evil.

Not that we're going to get into it here, but if you care about encryption and you haven't heard of the clipper chip, that's a history lesson you might want to give yourself. Focus your attention on the "criticisms" section, and then maybe read the case made by Bruce Schneier, who has more credentials here than almost anybody. He also made a short post not to long ago about how the Clipper debacle relates to the issues we face today.

It might be hard to believe the situation has worsened in the last decade, but in some ways it has. The much-maligned Trans-Pacific Partnership (TPP) has been negotiated largely in secret, so that until November of 2015 nobody except for government and big business interests even knew what it entailed. Now that a full draft has been released, we can confirm that the situation is even worse than originally thought. The EFF has a good discussion of the main points that deal directly with technology law. This EFF article hits the major issues. Of particular note, the language is designed to stifle things like conducting security researchfixing your own software and hardware, or talking about whether it's even possible to break DRM. And if you've ever pirated an album, may god have mercy on your soul(Edited to add: Less than an hour after I published this post, Doctorow shared on his blog another simple breakdown written in conjunction with the EFF, which is well worth a read)

These are all things they want, and things they've been trying to implement, but software solutions to these things aren't possible, and so they've turned to legislating reality instead. If they can't outright stop you from copying a copyrighted file, and they can't justify undermining the designs of hardware (including the hardware they use!) in the process of trying to stop you, they can at least try to pass international laws letting them break into your home, confiscate your computer hardware, potentially destroy any or all of it, seize any domains you own, and throw you in jail, if they even suspect you've ever broken copyright. Yes, really. Go read the documents if you don't believe me -- it's all in there.

At what point are we going to recognize how fucked up it is that these are the priorities driving the world's major governments? When is enough enough? If this isn't enough to push us to that point, what will be? Will anything? Do we really have so little spine, so little self-respect? Is there no limit to the abuse we will tolerate?