Passing anti-terror legislation in the United States is much simpler now. Anything that prevents future attacks is seen as the right answer. However, the effects of some new laws reach further than expected. Activites previously regarded as a benefit to society are now in danger of being labelled as terrorist crimes, especially in the realm of computer security.
I am not a terrorist.
My friends call me a hacker, my colleagues call me qualified, my family calls me a computer scientist. I am many things--coder, cracker, phreaker, computer security expert--but I am not a terrorist. In the eyes of some, that might soon change.
In reaction to the terrorist acts of September 11, members of the the United States congress put forth two bills. One increases the government's ability to surveil its citizens (the Combating Terrorism Act), and the other labels all computer crimes as acts of terrorism as a part of broader anti-terrorism measures (the Anti-Terrorism Act).
To say that some of us in computer security are scared is an understatement. In recent days, many of us have fallen silent and stopped performing our craft of our own volition, hoping to evade the attention of anyone who might take interest in what we do now, and in the past. Most importantly, some provisions in the ATA allow retroactive extraterritorial prosecution of computer crimes as acts of terrorism.
As a result, it seems that neither side of computer security--the white hats and the black hats--are safe from reckless legislation. As white hats, we try to discover flaws in computer programs and systems before black hats do. To that end, we need to involve ourselves in activities which arguably cross the line into computer crimes. After reporting the flaws to the relevant software authors so they can fortify their software, we generally publish our methods of discovery and findings so users can protect themselves. This pattern of discovery, reporting and disclosure has been a white hat tradition for more than a decade.
By publishing our findings, we protect millions from harm. But in doing so, we also link ourselves to past altruistic acts which may now be illegal under the ATA.
"How could I not be at risk of prosecution now that what I've done in the past is a prosecutable crime?" asks security expert and university student Dylan Griffiths. "I have to be very wary of whether or not I'm suddenly a criminal for actions which weren't criminal six months ago."
Under the ATA, prosecuting computer crime no longer depends on the nature or effect of the crime, nor when the crime took place. Anyone who defaces a Web page--the online eqivalent to spray-painting a sign--faces life without parole. The same sentence applies to someone who disrupts computers controlling the power grid, with little regard to intent or actual damage caused. To many, this is unfair and trivializes real acts of terrorism, since it equates the effects of defacement with the effects of fallen aircraft.
White hats like Griffiths, who has published security advisories describing how certain software can be exploited, are in danger of being labelled "terrorists" for their benevolent actions.
"They're stepping over civil liberties by using loopholes in legislation to avoid protection provided by their own constitution's fourth amendment," says Griffiths. "The U.S. is trying to increase their sphere of influence by allowing their peace officers to arrest or obtain warrants for people who have never been on U.S. soil nor committed crimes against the U.S."
Indeed, the computer security community on both sides--the black and white hats--see faults with the legislation, such as branding those who assist terrorists as terrorists themselves.
"I have grave concerns about the implications of the aiding and abetting section on published research in security circles. Computer professionals depend on knowledge and skill--knowledge obtained from published accounts of vulnerabilities," says a black hat who did not wish to be identified. "If providing information on how to break into a system--and therefore how to secure it--becomes punishable by life in prison, then I imagine such information will become quite scarce. And this will not make our computer systems any more secure. On the contrary, computer security will become more difficult for law-abiding citizens."
Both he and Griffiths agree the CTA and ATA do more harm than good by unnecessarily threatening civil liberties of the public without affecting terrorism.
Among its provisions, the ATA eases restrictions on surveillance of U.S. citizens devices by both domestic and foreign governments. Civil rights issues raised by the legislation include the collection and disclosure of educational and other personal records to Federal employees, and DNA identification of those suspected of or assisting terrorism.
The Electronic Frontier Foundation, a U.S.-based organization promoting and defending civil liberties, believes the ATA would give the government unprecedented authority to surveil Americans with little judicial oversight.
"The theme of freedom in the face of terrorist attacks should focus on measures that preserve rather than diminish our civil liberties," says EFF Executive Director Shari Steele.
Steele notes the ATA would also allow the U.S. to use information on U.S. citizens collected by foreign governments such as Canada, even if that collection violates the Fourth Amendment in the U.S. One example is the inappropriate use of roving wiretaps. According to the U.S. Department of Justice, the wiretaps give law enforcement authorities wide-ranging powers.
According to the DoJ's analysis of the bill, "roving wiretaps are unlike conventional wiretaps in that they allow law enforcement officials to follow the suspect from one location to the next, without having to seek court authorization to wiretap each location's telephone line or other communication channel.
"In short, the government may tap any telephone that the target uses or is known to use."
In addition to capturing communications of citizens unrelated to the suspect, the roving wiretap provision would allow government agencies to wiretap for no specified scope and for unlimited durations on devices like pay phones and public library computers.
Combined with other provisions in the CTA that allow law enforcement personnel to obtain copies of e-mail, voice mail and so-called electronic "routing information," personal privacy is jeopardized, says Griffiths.
"It looks like a few key players in the FBI, CIA and NSA who have been lobbying for these type of acts have succeeded because of the terrorist act," says Griffiths. "I doubt civil liberties of the citizens of the U.S. and people abroad in countries with extradition treaties will be restored until these new laws are tested in court and shown to be unconstitutional."
But until that happens, we must cope with the changes or prevent them.
Concerns about increased use of wiretapping and other surveilence measures have driven many in the community to protect their privacy and their freedom. Although encryption programs provide one possible solution, even that idea is under political and legislative threat as some in the U.S. intelligence community feel it impedes their investigations into terrorist organizations and activities.
The alternative, to simply surrender to the notion that "if you're not guilty then you have nothing to hide," is as unacceptable as yielding to the terrorists.
Because and inspite of the recent tragedy, black hats, white hats, concerned netizens and citizens in general are taking means to preserve freedom. Already, people are rallying in virtual communities on the Internet and offline around organizations like the EFF and the Electronic Information Privacy Center and Electronic Frontier Canada to prevent draconanian legislation against civil liberties.
For the sake of both white and black hats, and peace-loving people in any nation, I hope legislators do not go too far as America makes its first move from "freedom to act" to "freedom from terrorism."