Hacker Crackdown?

rombouts noted that Salon has a good piece on the liability of programmers. From Napster, to Freenet, to DeCSS, on down. If you're scared by any of this, you should be. There are a lot of cases out there right now that are gonna change the world, and folks, it could go either way.

Re:Why stop there?

[Upsilon]

I think you hit the nail right on the head there, but I think I'll generalize your point to reflect a certain belief I've had for a long time (watch out for the abuse of html tags):

Creating laws which cannot be universally enforced leads to arbitrary enforcement

OK, I'm kind of stating the obvious there, so I'll explain further. If we as a society create laws which have no hope of being enforced consistently because of the number of people already breaking these laws, then we are opening the doors to abuse by the government and police. We end up with a society in which everyone is guilty of something, but the only ones being punished are those who are disliked for some reason. The reason can be just about anything. You give the example of racism, which is a very good one, but is also unfortunately only the beginning. We could end up with a society in which a reporter uncovers some dirt about somebody in power, and ends up going to jail because of it. Sure, the reporter in question could never be directly prosecuted for uncovering dirt (hopefully, although the way our society is going...), but those in power might tell the police to go and arrest the reporter for a crime that everyone commits. This creates an atmosphere in which people are afraid of criticising their leaders. Unfortunately, we are already headed down that path. How many of you can honestly say that you never do anything illegal, and that if the police were watching you 24 hours a day they could find nothing to arrest you for?

Unfortunately, more and more laws are being made that can never (and should never) be effectively enforced. It's not part of a grand conspiracy, but the end result is the same. The reason is simply that the people are always screaming for the goverment to do something, but they never seem to care whether or not what the government did had any effect. They just want laws to "protect the children" and whatnot. But this doesn't simply result in a bunch of worthless laws that we can all laugh at and go home. It ends up creating an environment that is practically asking for government abuse. And abuse they do. And it's only getting worse...

Where do we draw the line?

[dsplat]

Which of the following can't be used to distribute pirated copyrighted data?

• ftp
• Apache
• nntp an your favorite newsreader
• E-mail clients and transport agents

An important question to ask is whether more piracy has been committed using Napster or Microsoft Outlook Express. Measure it in incidents or megabytes. How much copyrighted material has been e-mailed, posted to Usenet and posted on Web sites using Microsoft Outlook Express and read using it as well.

I want to be very clear about this. I am not criticizing Outlook Express. I also don't believe for a minute that Microsoft every intended it to be a piracy tool. Nor do I believe that Microsoft should be liable in any way for the fact that it can be used that way.

Any tool that allows us to publish any data can allow us to publish someone else's copyrighted data in violation of that copyright. Failing to hold the person who committed the violation liable and attacking the programmer who wrote the software instead is at best simply choosing a target of opportunity, who may have partial culpability. At worst, it is scapegoating and a search for deep pockets.

Accountability is good - and inevitable

[J.J.]

I'm disappointed in the Salon article. They typically do a decent job of getting things in perepective - but, as you've probably guessed from my expression of disappointment, I think they missed the boat this time.

I think this issue makes more sense when you divide it into two:

1. The growing trend of companies being held accountable for the use of their products.
   
2. The accountability of software authors
   

The salon article uses the industry that gave us guns, bombs, car and pantyhose as examples of product's creators being separated from the usage of their products. Their argument was valid five years ago, but today it's shot to hell:

• Cars: There's an entire industry based on car manufacturers determining whether a defect in one of their cars is worth the cost of a recall. Remember Fight Club? Edward Norton character's lawsuit price v. recall cost equation?
  
• Guns: In the past two years, lawsuits have sprung up in a number of major cities in America aganist the gun manufacturers themselves. They were insisting that the manufacturers didn't include the best safety controls, or that they provided a prolific number of guns down south, where gun laws are less strict, knowing full well that they'd trickle back north to the large cities. Read this and this. They're appaling!
  
• Tobacco: Do I even need to make an argument here? Big tobacco has been held accountable (to the tune of hundred of billions) for the actions of their customers, who knowingly smoked the cigarettes, even while being warned continously from a number of angles.
  

When you take a step back from our little microcosm and look at the rest of the world, you can see the growing trend of companies being held accountable for the usage of their products - either intended, in the case of tobacco, or unintended, as with the gun industry. The system is primed and ready to take poor Shawn Fanning and his little Napster upon the gallows for a good ol' public execution. Hanging might have gone the way of the Dodo, but the effect is going to be the same.

The second issue is accountability of software authors, specifically. Hey folks - if you've just been skimming, pay attention now and let me tell you something: Holding software authors accountable for their software is a good thing! (It's also inevitable, but you'll see that) I know I'll get flamed for saying that, but give me a second.

This discussion comes up on Slashdot about once a month. Folks gripe about companies paying the kid down the street to make them a web site, because the kid will do it for far cheaper than a real professional, and have similar results. But once the kid delivers, the company still doesn't have the product it was looking for. So then, they come to the professional.

There needs to be a way to differentiate between you, the professional software engineer, and the kid next door. Sure, you can get MCSE, CNA and a whole slew of other acronyms after your name, but that's not working. Every other engineering discipline has a certification exam that allows you to personally ceritfy yourself as a Professional. Once you're a Professional Engineer, you're held responsible for your work. Civil Engineers are held liable for their bridges, Mechanical Engineers for their machines, and it's a Good Thing. It forces the engineers to hold to their design process and keep the level of quality high.

Every software engineering text that I've read supports this trend towards accountability. The process of creating large software products is slowly becoming more and more of a formalized process. Formal procedures are good, because software design is inherently a very difficult process to make step-by-step. Changing requirements, ignorant customers, bad technology, they all work aganist you. This formal specification of the software design process creates accountability, in the form of Software Requirement Specifications (SRS). A contract, between the company and the customer, outlining the expectations of the new piece of software. The beginning is there.

Companies are going to be held liable for their products. That's inevitable, given the larger trend in our system. But is it fair to hold a kid, be it the DeCSS kid or the Napster kid liable for making public the result of their late-night tinkering? I don't agree, but then, I've got the perspective of the tech-savvy.

Napster probably will be shut down. Shawn Fanning probably will held accountable. We're liable to see a veritable witch-hunt begin over the course of the next couple years as a result. But, in the end, the legal system as well as the software authoring world will be a more mature place. Will a formal system of accountability get set in place? (shrug) The ball is rolling. Which direction it takes down the hill, and what bumps it'll hit are unknowns. But it is rolling.

Read the Risks Forum

[goingware]

I say this all the time here, I think it is important. It is very pertinent to programmer liability (although more from a safety or cost of failure perspective) - read the Forum on Risks to the Public in Computers and Related Systems. It is also available on the Usenet News as comp.risks.

If you think programmers can really escape liability for their products (or should), think about what kind of effort and investment companies like the tobacco industry and auto manufacturers of automobiles and childrens toys and food put into defending themselves from lawsuits and government regulation.

It's only a matter of time before the public rises up and demands accountability for software. Imagine a senator getting elected on the platform of promising to put programmers behind bars for writing software that is unreliable. Or a district attorney setting out to put programmers behind bars, not for hacking or writing viruses, but for writing products that don't meet government standards.

I haven't read it yet, but the Software Conspiracy looks interesting.

A problem; a solution.

[Greg@RageNet]

A problem

Unfortuantely american society (among others) is leaning in a direction where the individual is no longer accountable for their actions. Liability for individual's actions are being shifted to product manufacturers. This is mostly thanks to lawyers and greedy americans who think they can get the 'big score' by suing large corporations. Additionally large corporations use lawyers and litigation to intimidate individuals out of behavior that while technically legal is contrary to the way corporations believe things should be done.


You aren't responsible when you spill coffee on yourself, McDonalds is.

You aren't responsible when you get a terminal desease for using a product you knew was unsafe for twenty years, Philip Morris is.

You aren't responsbile when you shoot someone while mugging them, Smith and Wesson is.

You aren't responsible when you pirate music, Napster is.


The terrible end result of this strategy is that your individual rights and fredoms are stripped from you by government because you keep proving time and again that you do not want to be responsible to weild these rights. Government turns into a big babysitter.

Thats the big picture; damn sad where we are going. But to focus on what you can do today to protect yourself:

A solution

Anyone who is considering doing something that may draw the wrath of lawyers should consider incorporating. Incorporation provides protection to those who work for corporation so that these people are not fiscally liable for the actions of the corporation. Thus if you write something somebody does not like and you sign all rights to this code over to your corporation (and licensing this code out with GPL or equiv). Then when the lawsuit comes they can only go after whatever assets your corporation holds, rather than your personal assets.

Incorporating is fairly simple, and involves either some research on your part or paying a lawyer to get things moving. I'd say you probably won't be set back more than $1000, and probably around $150/yr to maintain it (could be more depending on which state you incorporate in and how much research and accounting you do yourself).

It's cheap insurance if you anticipate legal threats. One caveat is to ensure you act within your corporation's framework; if you do things that blurs the line between you 'the corporation' and you 'the individual' you could become personally liable again.

-- Greg

IANAL, so go seek one's advice if you'd like to learn more about incorporating and liability.

Re:Hence: hacker-speak

[KahunaBurger]

My previous example was indeed a bad one, so I will make a better one. A user creates a web-page of file aliases. He then posts random_file_00416.mp3, adds 5-10s of buffer whitespace to throw off file size checkers, and lists on the webpage that random_file_00416 is indeed a metallica mp3. Once again, the actual name means nothing. Give it a little more time, and a Napster client clone might even incorporate such alising and make it transparent.

Thank you, this is a different issue and somewhat more relevant. The first question seemed to be "What if the filters accidentally block 'legitamate' content?" Which seemed to me to actually be deliberately misleading content, and thus not legitamate. The second question is "what about people getting arround the filter to still post illegitamate content?" The answer is the three simple words that make or break a company in terms of liability :

GOOD FAITH EFFORT

Contrary to what some Napster supporters would have you believe, they do not need to prevent anyone from ever using their product or service for piracy. What they must do is make a good faith effort at prevention and reduce the piracy use. Instead, they seemed to do everything they could to encourage illegitimate use of the service as part of their business model. This is why they're in trouble. (Its also why the Salon article was so silly, but thats another part of the thread.)

A service of that size can't reasonably be required to verify more than the filename or link name within their web page or servers.

Very true, though they could also de-annonymize it to the extent that when illegitamate use is demonstrated they can kick the violaters off and have it mean something. But those efforts combined would show enough good faith to get them mostly out of the hot water they've dunked themselves in, even if it doesn't eliminate all illegitimate use.

The liability world is all about good faith efforts. This is why an anti-harrassment program will reduce a company's liability if harrassment does occurs. Its not useful to ask "can they ever stop all illegitimate use of their service?" You have to ask "Are they making a good faith effort to reduce such use?" On this point Napster fails, and if we focus on that failure we can make sure that an artist centered venture suceeds.

IMHO, it is the Napster advocates who are endangering the use of the net as a promotional tool for unsigned artists. By claiming that Napster cannot prevent illegitimate use, they are handing the RIAA the amuntion it would need to shut down a service meant to promote artists (who want to be promoted). After all "even advocates of on-line music admit that nothing can be done to prevent infringing use of such a service". If we focus instead on good faith efforts, it leaves Napster screwed (which they are anyway) but leaves the door open for legitimate ventures to promote music on the net. Just a thought.

Kahuna Burger

Re:Why stop there?

[laborit]

But there's the problem... they clearly will stop somewhere, even if the law doesn't make it clear why they should.

An Oklahoma law makes it illegal to possess anything that looks like an illegal drug. Clearly Oklahoma's finest don't spend all their time kicking down kitchen doors and putting people away for having powdered sugar, oregano, or water. But in 1998 they did throw George Singleton in jail for a month, even though he was able to prove that he made his living as an herb merchant and that the plants filling his car were rosemary and mullein, two legal plants that he grew to treat asthma (and which, incidentally, don't look at all like marijuana).

Anyone want to guess what color Singleton's skin was?

Making (e.g.) Clarke liable for Freenet would be disastrous. It would put us in a state where most coders and inventors would be legally liable for something, but few would ever be prosecuted. This would give the government vast latitude to punish anyone they disliked, under a legitimate but overly broad blanket -- kind of like prohibition, in which everyone drank but only undesirables got busted.

- Michael Cohn

Accountable for its quality yes, for it's uses no.

[{LF}Ceres]

I have no problem with being accountable for the quality of the software that one distributes, and i think when u refer to the software engineering text that "supports this trend towards accountability", i think they are refering to the software makers being accountable for quality, and not making software makers accountable for it's uses. There is a world of difference between the two. To use the examples that you gave:

Civil Engineers are held liable for their bridges

... if they bridge falls down.. yes, but what if someone is driving drunk and drives off the bridge and dies? Is the engineer responsible?

Mechanical Engineers for their machines

Someone uses a car to get away after robbing a bank, is the mechanical engineer that designed the car responsible for the robbers getting away?

Anyway, you get the idea. There are many things to be accountable for, and when using that word it's important to remember that. In the case of an author being accountable for a piece of software it's as ludicrous(sp?) as the examples i gave above.

Ceres

Dear Bill Joy

[Hobbex]

Dear Bill Joy,

As one of the head programmers of Freenet, I would like to take this opportunity to thank you for making it possible. If we had not had your programming language, Java, and your editor, vi, I doubt we would ever have been able to get an implementation of Freenet working. You made it happen.

Since you must have known that people would one day use your programs to write programs that people could use to avoid censorship laws, you would obviously not have written them if that is not what you wanted, and I'm glad you take responsiblity for it. I hope we will have plenty of time to discuss how the people should be controlled so that they don't learn how to do bad things while in our shared jail cell.

Sincerely, Oskar Sandberg.

(And since you asked CmdrTaco, no I'm not scared. Are we men or are we mice people?)

What about the music *product*?

[ScottyB]

Does anyone else here see the least bit of hypocrisy in that the RIAA/MPAA are trying to make producers liable for the actions of users?

What about the "free expression" rights always demanded by movie and music makers, so-called artists who are making media even more sensational, whether through violence or sex, simply to increase profits? Popular culture (not art, mind you, since that is not a product like popular culture is) has been defended on the grounds of free expression for years, but it is a product and is in many ways responsible for the sensational reactions that viewers (i.e., users) have.

The way I see it is this:
(0) If code is seen as protected speech, then we should be in the clear.
(1) If code is not defined as speech, then coders are in trouble since computer code will be a product and thus the producers, programmers, will be liable.
(2) If code is speech, then it might not simply be protected speech. In this case, the case needs to be made that code is information, and that if the producers are still to be held liable, then producers of other information sold as products, like musicians (see here for my arguments on music as information), should be held similarly liable, or vice versa.

I personally think code is protected speech; that it can be useful as a tool only occurs if you have a compiler. I would agree that, especially when money is not being made off of it (i.e., somewhat different from Napster's case), code should be considered like an art form, deserving free expression rights.

The bottom line, though, is that coders need to get vocal, and not just on discussion forums. Write the mainstream press, CNN, the Washington Post, the New York Times, with letters to the editor; write something that outlines your positions in ways others will understand. Heck, I'll post it on DigitalRenegades. Just SAY something that others will hear.

Though it may sometimes not seem that the US is a democracy, it is. And lawmakers always want to keep their jobs by getting your vote.

SB

Editor, DigitalRenegades

Re:Why stop there?

[Veteran]

Profound observations. I would like to expand on them a little: there are already so many laws that even a lawyer can't know what all of them are. If you can't even know what all the laws are, how can you be legally responsible for obeying them?

Of course, the Prosecutors of the world would say "Ignorance of the law is no excuse" and I would continue "because if it were we would have to have a reasonable system that anyone could understand, and that might work - so we can't have that, otherwise we couldn't push people around, and we wouldn't like that."

The world is a screwed up place because there are people who want it that way.

Remember the bullies you ran into in school? Did you ever wonder what became of them when they grew up? The answer is that they never did grow up, they just figured out how to get away with bullying people; if you'll check, you'll discover that most of them went into law enforcement.

One thing which Ayn Rand got correct is her description of a "Conspiracy of Cockroaches". The law is an example of one; there is no formal conspiracy, there are just lots of like minded people who are seeking the same ends.

People can be divided into two broad emotional groups, the emotional 'herbivores' - who just want to be left alone to 'chew the cud of their happiness' and the emotional 'carnivores', who want to 'eat other people's happiness'.

The law is a great deal like the lions going to the wildebeests and saying to them "We notice you have a problem with wildebeests getting out of line. Why don't you let us handle the animals that get out of line? We'll make sure that everyone stays in line; we'll punish the ones who stray." And the wildebeests GO FOR IT.

Most people are emotionally 'herbivorous', most lawyers are emotional 'carnivores', we are absolute fools for letting the 'carnivores' set up the legal system.

The law, 100's of millions of lines of code, not one line of which has ever been tested to see if it works.

Re:why?

[HiQ]

Well, when is a drug a drug??

You can buy glue in a store, that helps you glue things together; but you can also take a nice deep sniff of it, and float quietly away, mmmKay? Same goes for software; you can program nmap to check for weak spots in your network, but you can use this tool for good and for bad.

All in all, your question is not so easy to answer; unfortunately, the worlds isn't so black and white, it also comes in different shades of gray

How to make a sig
without having an idea

Re:why?

[delmoi]

Hrm... you don't sound like a troll

If I write a piece of software which sole (or biggest) purpose is to help other people engage in illegal activities then why should I not be as liable for it as a drug dealer is for the drugs he sells?

How is writing software like selling drugs? Holding software authors liable for the criminal activities of others would be like holding hypodermic needle makers liable for people injecting heroin. Hypodermic needles can be used to inject anything, just like Napster can be used to transfer any audio recording (or other file, with a bit of hacking) and DeCSS can be used to decrypt DVDs for lawful purposes.

While a tool can be used for illegal purposes, the illegal acts are not the responsibility of the toolmaker, but rather the actor. The kid trading Metallica over napster is the drug-dealer, not the guy who coded it.

The difference

[Hard_Code]

You make some valid points. Yes, creators of products (or services) cannot be entirely seperated from the results of usage of said products or services. But in the examples you cite, the products do EXACTLY what they were meant to do. Cheaply made cars break and kill people, well, because they weren't designed not to. Driving a car is not some strange and bizarre activity - in fact it is the activity the car was designed for. Tobacco also was designed (don't even try to tell me otherwise) to deliver a neurostimulant. Inherent to the fact of being a smoked neurostimulant follow many consequences. I think guns are a bit different because they are not failing to perform in the advertised manner or producing unwarrented results (when you shoot something it will get hurt - duh). Guns do exactly what they are supposed to (and what they're supposed to do is the issue, not the metal and wood of a gun).

However, nobody is complaining that the product in question has bad side effects when *used correctly*. Nobody is being hit by shrapnel, or inhaling second hand smoke when they trade files. What is being claimed is that because some people choose to use an entirely valid product for a criminal purpose, the creator of said product, who may have nothing to do with this person, or even the product itself at this time, can be held responsible. Bombs and guns are not a good analogy - because they do *exactly* what they're supposed to do. A file sharing network is for sharing files, agnostic of their legitimacy or value. If somebody is using this service/product criminally it's not the creator's fault. E.g., are car companies responsible for bank heists or drug trafficking? Their responsible for cars breaking down or blowing up, but not for somebody doing something illegal with them.

does that make sense...

Alarmism.

[AndrewD]

Even with the unpleasant US laws on copyright and so on, I think salon are over-egging this one (and IAAL, but NAUSQL; mileage may vary from the US Bar). Look at a few examples:

1. Napster provided a centralised service - their search engine - and that's what is being shut down; the trading of MP3s through less formal channels isn't being touched.
2. The DeCSS action is about to founder on the First Amendment. The source code is very, very likely to be held to be protected speech.
3. PGP got around the export restriction by publishing the source as a book: the protected speech could then be exported without restriction and OCR'd, rebuilt and used.

In fine, the author of a piece of source code is OK. If he does something with it that is not protected, he's potentially in trouble. If he provides some other service that's an infringement of something or other, he's potentially in trouble.

That's what Napster ran aground on: the injunction (which won't get stayed by the Appeal, according to a US attorney friend of mine) was against the inclusion of copyrighted material in their searchable database of traded MP3s, not against the non-infringing uses of the software or in respect of anything the users did.

The injunction ordered Napster to do something they had previously declined to do: exercise some discrimination in the material they included in their list of tradeable MP3 files. Nothing to do with their authorship of any software.

The Oppenheimer defence is available only where you have no control over the end use of the product and there is a substantial lawful end use of same and the product is not dangerous in normal use if it is meant to be safe. (This is a statement of general principle, incidentally: for the specific application in your local jurisdiction consult a lawyer qualified to practise where you are).

Oppenheimer himself had no control over the end use, and that end use was (in the context of a major war) lawful. The product was dangerous in normal use, but then bombs are meant to be.

Big Tobacco is OK all the way up to the danger point. They've been insisting that the product was safe for decades, and now that is coming home to roost. (If they'd sold it, from when they first figured it out, on the basis that "this stuff will kill you: don't say you weren't warned that a little pleasure now will be paid for with a lot of pain later" they'd have been watertight)

DeCSS is perfectly safe to use, and there is a substantial lawful use (at least, lawful everywhere but the US) for a finished product (an executable). The source code itself doesn't do anything but communicate, so it's protected speech. The authors can't otherwise control what's done with it.

Napster, on the other hand, is used almost exclusively (on the evidence in that case, and on Napster's own business plan) for copyright infringement, and Napster run their marketplace as a centralised service so they've got a clear control over what's done with it. It is this last that caught them by the main zipper; it is this that's going to make their eyes water.

Laws

[Ayon+Rantz]

It seems to me that the problem we're facing is too much legislation. Maybe it's time we started rewriting the laws from scratch?

A good starting point would be:

Do what thou wilt shall be the whole of the law.
- Aleister Crowley

Why should programmers be silenced for following their True will? Science is already bogged down and stupidified through the master-servant systems incorporated in all major corporations, the education system and politics.

Communication is only possible between equals
- Robert Anton Wilson

If you have to go through the burden of bureaucracy, or resort to lying to your superiors because you know your real thoughts might get you fired or failed, you're already losing control over your own creativity.

Controversial or subversive material such as Socrates' philosophies, the research and books of Wilhelm Reich, or Napster, will always be suppressed by the powers that Be because of fear of the Unknown. The majority of the general public will be fooled all the time. Lawsuits and threats of financial incapacitation have just replaced the poison cup or the burning of books as the establishments instrument of oppression.

Maybe it's time to realise that electorial democracy is just another words for a self-imposed dictatorial oligarchy?
--

software liability all of a sudden?

[jetson123]

So, if some company sells me a lousy piece of software that causes me to lose money, I can't sue them, because under UCITA they have absolved themselves of all responsibility.

But if I write a piece of software that can be used for file swapping and someone uses it to commit copyright infringement, I may be held responsible for contributory infringement by the RIAA and MPAA?

Even the language and analogy itself is disturbing: creating tools for letting people share information is now on the same level as creating nuclear bombs? Isn't the ability to communicate freely at the heart of a democracy?

I think it's pretty clear what the deciding factor is in who can and cannot be held responsible for the software they create: people with money and political influence are exempted from responsibility. Remember that next time you vote and give the third party candidates a chance. Nader is looking pretty good...

The above comment missed the point

[Crag]

The article refers to making programmers accountable for the ways their software is used against other people, not for how good the software is. This is very different from the liability the automobile and tobacco companies are fighting. This is more like the lawsuits being pressed against the gun makers.

That being said, this concept (programmer is responsible for how his program is used) is ludicrous. While it is important for people to be aware of the potential uses of their creations, the leaders who gave the orders to drop the atomic bomb are to blame, not the scientists who designed it or the works who built it.

This issue is very complex. There is a lot of energy at stake, and a lot of confusion about what can and what "should" be done. The only sure way to solve all these problems once and for all is to hold the final decision makers responsible for _their_ actions. If you are holding a gun, only use it in self defense or for sport. While driving a car, respect the power of 2000 pounds of steal going 70+ mph. While holding a baseball bat, don't blame the manufacturer if you decide to hit someone with it.

No matter what power you hold, there is noone better qualified to keep you from abusing that power than you.

Blaming doesn't get us anywhere. The change we want is much deeper than making it more difficult to cause harm. We need to stop wanting to cause harm.

(We also need to agree on what harm is - napster is certainly a grey area in many peoples' minds.)