Boing Boing Staging

How security and privacy pros can help save the web from legal threats over vulnerability disclosure

I have a new op-ed in today’s Privacy Tech, the in-house organ of the International Association of Privacy Professionals, about the risks to security and privacy from the World Wide Web Consortium’s DRM project, and how privacy and security pros can help protect people who discover vulnerabilities in browsers from legal aggression.

I’ve got an open letter to the W3C asking it to extend its existing nonaggression policy — which prohibits members from using patents to threaten those who implement web standards — to cover the weird, dangerous rights conferred by laws like the DMCA, which let companies threaten security researchers who come forward with disclosures of dangerous product defects.

If you’re a privacy or security pro and you want to support this initiative, email me, along with the country you’d like listed with your name, and your institutional affiliation (if any).

Last summer, the U.S. Copyright Office solicited comments on problems with DMCA 1201, and heard from some of the nation’s most respected security researchers, from Bruce Schneier to Steve Bellovin (formerly chief technologist at the Federal Trade Commission, now the first technology scholar for the Privacy and Civil Liberties Oversight Board), and Ed Felten (now White House Deputy Chief Technology Officer).

The researchers spoke as one to say that the DMCA has chilled them from reporting on flaws in technologies from cars and tractors to medical implants to voting machines.

The W3C’s decision to standardize DRM puts it on a collision course with this legal system. The U.S. Trade Representative has exported versions of the DMCA to most of the U.S.’s trading partners, meaning that web users all over the world face the risk that the flaws in their browsers will go unreported because researchers fear retaliation from vendors who want to avert commercial embarrassment (and even legal liability) when those flaws come to light.

EFF would prefer that the W3C not standardize DRM at all: anything that makes it easier for companies to attack security researchers is not good for the open web. But since the W3C rejected that proposal, we’ve offered a compromise: asking the W3C to extend its existing policy on IPRs to protect security researchers.

How you can help white hat security researchers [Privacy Tech/IAPP]

Exit mobile version