US Copyright Group Recommends Legalizing Rootkits To Fight IP Theft

On any given day in the United States you will find a number of really, really terrible ideas being floated as smart decisions. Flying to Hawaii to give birth in the ocean surrounded by dolphins. A drunk man repeatedly directing traffic in midtown Manhattan. And, today, from the USA Intellectual Property Theft Commission, a 90 page report on the state of IP around the world, the dangers posed to American IP by the Internet, and one remarkable suggestion on how to fix the problem.
Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account...

[T]here are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

This Is Very Disheartening

The worrisome thing about this recommendation is that it shows just how deeply the content industry fails to understand the nature of the Internet. I'm not referring to the free flow of information -- they've never understood that -- but the basic definition of what constitutes a secure network. SOPA and PIPA threatened the integrity of the Internet partly because they imposed unreasonable burdens of policing on companies currently protected by the DMCA's safe harbor clause and would have given corporations within the US broad power to order the removal of content from the Internet without following the rules of due process.

This is arguably worse. The IPTC is arguing for the creation of supra-judicial authority to engage in destructive behavior against individuals and corporations. The only way such actions could be achieved is if systems are rootkitted from the beginning, thereby granting the MPAA/RIAA permanent access to the information stored on the systems in question. While the report doesn't attempt to insist that such content be integrated into a system at the OS level, that's virtually the only way to ensure that the spyware is distributed to everyone.

It genuinely does not seem to have occurred to these people what would happen to a large corporation if a hacker used these rootkits to gain unfettered access to sensitive data. We've already seen the damage such networks can do on an international scale with the discovery of the Red October botnet last year -- now, imagine if every system in the world (or, at least, every system with the ability to play back multimedia content) was rootkitted?

But it actually gets worse than that. If your PC is attached to a network of devices in a government or corporate setting, the damage any single user can do to the network is exceedingly limited if the system is properly secured. The IPTC wants the ability to "destroy the hacker's own computer or network." That requires super-user level access, not just to the computer, but to the network itself.

Security Concerns Dwarf Piracy Issues

Should you care? I think so. Not because the IPTC is unilaterally writing US law, but because these are the viewpoints that represent one half of the conversation taking place on what's reasonable for IP law. It doesn't matter if you take a strict view on content distribution and piracy or if you don't believe piracy meaningfully exists in the digital realm -- the security flaws in this recommendation should have made it an obvious non-starter from the beginning.

After SOPA and PIPA exploded, I'd hoped that there'd be real conversations on why the laws were unacceptable from a security and enforcement standpoint. Clearly that hasn't happened.