May 24, 2013

USA Intellectual Property Theft Commission Recommends Malware!

Oh boy. The "Commission on the Theft of American Intellectual Property" has released its long awaited report, and it's 90 or so pages of doom, gloom, and the bizarre -- including one section that had me almost literally doing a "spit-take" onto my screens while sipping my morning coffee.

I'm not going to try critique the entire report here and now. As you'd expect, it presents a dire scenario of intellectual property theft run amok, and while offering only a few words of lip service to the grossly flawed measurement methodologies that vastly overstate dollar losses in various sectors, the report instead suggests that those exaggerations are actually understatements -- that the problem is far, far worse than we ever imagined. Oh, the horror. The horror.

But we expected this sort of skew to massively hyperbolize the underlying actual problems of IP theft.

What you may not have expected, however, is that the authors of this report appear to have been smoking "funny cigarettes" during its drafting. OK, we don't know this for a fact, but it's otherwise difficult to wrap your mind around this specific proposal in the "cyber" section of the report:

"Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved."

Booooing! Say what? Is this the parody section of the report? Something from "The Onion" or perhaps a "Saturday Night Live" skit?

I'm afraid they're serious. And what they're proposing is no less than the legitimizing of a form of malware that has attacked vast numbers of Internet users, costing them immense lost time, money, and grief.

You may have been unlucky enough to see this for yourself. It comes in various forms, but generally it claims to be a law enforcement warning (often saying it's from the FBI). It accuses you of having some kind of "illicit" material (usually a copyright violation and/or porn) on your system, and demands that you contact an address for "more information" -- or even that you make immediate payment of a "fine" to release your computer. Your webcam may even be surreptitiously used to include your photo to further confuse and upset you.

Of course, this is all a scam. If you go to that address, you'll likely download more malware, or be directed to provide credit card or bank account info to pay for your "violation" of law. Even if you pay, you have no assurance that this malware will go away. Even if it does seem to release you, it may hang around in the background sucking up your private information, bank account access data, and who knows what else.

Consumers attacked by this class of malware have spent enormous sums to get it actually cleaned out, and very many have been directly defrauded by it as well. And of course, these systems can't be used for anything else while the malware is actively threatening you.

So now we have the IP Commission suggesting that firms be allowed to use basically this same technique -- pop up on someone's computer because you *believe* they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well.

What the hell are these guys thinking? Outside of the enormous collateral damage this sort of "permitted malware" regime could do to innocents -- how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?

What's more, how can it possibly be justified to lock users out of their systems on this sort of unilateral basis? How much "theft" -- even when it actually occurred -- is enough to justify locking someone out of their private applications and data, some of which may be absolutely necessary to their daily lives.

I could get into a lot of technical details about this, but we can just cut to the chase for now: the whole concept is utterly insane, and frankly calls into question the competency of the commission in general.

With our own commissions coming up with idiotic, dangerous nonsense like this, we may have more to worry about from their kind of thinking than from the "cyber-crooks" themselves.

And that's really, seriously, scary.

--Lauren--

Posted by Lauren at May 24, 2013 10:50 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein