UNIX System Administration Handbook - Evi Nemeth [467]
• The No Electronic Theft Act
• The Digital Millennium Copyright Act
As we start the new millennium, the big issues are the liability of sysadmins, network operators, and web hosting sites; strong cryptography for electronic commerce; copyright issues; and privacy issues.
Liability
System administrators are generally not held liable for content stored by users on the machines for which they are responsible. ISPs typically have an appropriate use policy (AUP) that they require anyone connecting to them to “flow down” to their customers. Such AUPs assign responsibility for users’ actions to the users themselves, not to the ISP or the ISP’s upstream provider. These policies have been used to attempt to control spam (unsolicited commercial email) and to protect ISPs in cases where customers stored child pornography in their accounts. Check the laws in your area; your mileage may vary.
A good example, but one that is too long to include here, is the AUP at www.mibh.net. It includes the usual lawyerish words about illegal actions, intellectual property violations, and appropriate use. It also includes a specific list of prohibited activities as well as enforcement policies, procedures for registering complaints, and a statement regarding liability.
Encryption
The need for encryption in electronic commerce and communication is clear. However, encryption is against the law in some countries. Law enforcement agencies do not want citizens to be able to store data that they (the police) cannot decrypt.
In the United States, the laws regarding encryption are changing. In the past, it was illegal to export any form of strong encryption technology. Companies had to create two versions of software that incorporated encryption: one for sale in the domestic market and a crippled version for export. The patent absurdity of this policy (the rest of the world has had cryptographic technology for a very long time) and the needs of electronic commerce eventually motivated the government to change its stance. Although the export restrictions are not yet completely gone, the situation in the United States is better than it used to be.
Another side effect of the former U.S. laws is that many encryption-related software development projects are based in other countries. The IETF has done standards work in the area of end-to-end secure communications at the protocol level—the IPSEC effort—and vendors are beginning to ship systems that include it. The authentication part is typically bundled, but the encryption part is often installed separately. This architecture preserves flexibility for countries in which encryption cannot be used.
Copyright
The music and movie industries have noticed with some consternation that home computers are capable of playing music from CDs and viewing movies on DVD. It’s kind of an opportunity for them and kind of a threat, particularly with the prospect of widespread Napsterization drawing ever closer.
The DVD format uses an encryption key to scramble the contents of a disk by a technique called CSS, the Content Scrambling System. The idea was to limit the ability to play DVDs to licensed and approved players. Consumer DVD players include the appropriate decoding key, as do the software players that come with most DVD computer drives.
A student from Norway and two as-yet-unidentified European hackers reverse-engineered the CSS encryption process and posted a program called DeCSS to the web. The program did not bypass the DVD encryption scheme; it simply used the decryption key from a legitimate Windows player to decode the DVD data stream and save it to disk.
The Norwegian student is now under criminal indictment in Norway, and the Motion Picture Association of American and the DVD Copy Control Association have both filed lawsuits against numerous distributors of the DeCSS software. The lawsuits allege that the defendants were engaged not in theft of copyrighted materials, but in the distribution of trade secrets and “circumvention of copy protection,” which