is this true or... ?

I'm not sure what text you saw. The Texas bill (I posted the URL
earlier today) does not speak of "primary purpose". The section Felten
warned about (Section 6) criminalizes the following things:
manufacture, sale, etc., of a "communications device" with an intent to
*either* defraud, *or* conceal origin, destination, etc.; manufacture,
sale, etc., of an "unauthorized access divce"; or manufacture, sale,
etc., of plans or instructions for such devices with the knowledge that
the intent of the end user is illegal. The word "primary" does not
occur in the text of the bill, according to both my reading and Acrobat's
"find" fucntion.

    --Steve Bellovin, http://www.research.att.com/~smb (me)
    http://www.wilyhacker.com (2nd edition of "Firewalls" book)

*sigh* Now neither am I. I searched over the law links, the articles
and my browser history and I can't figure out where I got that
"primary purpose" from. I don't know if I was reading the wrong
section of the laws or totally hallucinated it.

  The laws require an "intent to" "conceal" the "origin or
destination". NAT would not count, as the intent is to share a scarce
resource, not to conceal the origin or destination -- the origin is
only concealed to the extent necessary to accomplish the sharing.
Firewalls probably would not count either, as there is no intent to
conceal the origin or destination, the intent is to provide security.

  The argument would then hinge on complex legal interpretations of
'intent'. If you intentionally do 'x' knowing that 'x' has 'y' as a
side-effect, but you don't want 'y' specifically, does that count as
intending to do 'y'. If so, then FedEx intends to distribute child
pornography.

  I still think there's some FUD in Felten's claims. But I think if
someone had warned of the exact, specific problems we've had with the
DMCA obliterating fair use, it would have looked like FUD at the
time.

  I apologize to Mr. Felten.

I disagree - I could point you to a bunch of companies who are running
NAT _precisely_ to "conceal origin or destination". Not because they are
short of address space (since a lot of them even do 1:1 NAT), but
because they feel it adds to their security measures to obscure and
conceal their internal addressing and topology. Don't forget all the
self-appointed "security experts" out there with very varying degrees of
clue. I would imagine that type of setup would be very hard to argue
falls outside the text of this bill.

/leg

Declan McCullagh sent out an email 7:56 am EST this morning,
referencing his full report at:
http://news.com.com/2100-1028-994667.html

I was shocked to see that Michigan has *already* passed such a law!
(Also Virginia, Delaware, and Illinois.)

I've found the new law(s), and they basically outlaw my living in
Michigan starting March 31st (this Monday, two days from now):

http://www.michiganlegislature.org/printDocument.asp?objName=mcl-750-219a-amended&version=txt

http://www.michiganlegislature.org/printDocument.asp?objName=mcl-750-540c-amended&version=txt

The Bill analysis basically quotes the MPAA website!

http://michiganlegislature.org/documents/2001-2002/billanalysis/house/htm/2001-HLA-6079-b.htm

It outlaws all encryption, and all remailers.

It outlaws connecting any device "without the express authority of the
telecommunications service provider". No NATs. No wireless.

(Some DSL/cable companies try to charge per machine, and record the
machine address of the devices connected.)

It outlaws configuring your ISDN to be a voice device, and then sending
data over the device.

(Most folks around here are willing to settle for 56Kbps + 56Kbps --
fixed fee -- instead of 64Kbps + 64Kbps -- per minute.)

It outlaws configuring a wire pair purchased as a burglar alarm circuit,
and then using it as DSL.

It outlaws using Linux/*BSD for reading DVDs and a host of other things.

Also, "reprogramming" a device (and software and computer chips are
explicitly included) "that is capable of facilitating the interception,
transmission, retransmission, decryption, acquisition, or reception of
any telecommunications, transmissions, signals, or services" would seem
to prohibit mod'ing of M$ Xboxen.

Heck, it is possible to read this Act to prohibit changing your
operating system from M$ to Linux.

This was passed in a lame duck session (December 11, 2002) as part of
a big omnibus crime act that covered everything from "adulteration of
butter and cream", to "trick or acrobatic flying" to "false weights and
measures", mostly increasing fines and/or jail for existing offenses.
Michigan is a leader in overcrowding its prisons.

There was other lame duck legislation passed, before a new Governor
took office, almost all of it bad for civil liberties!

Date: Sat, 29 Mar 2003 15:53:32 -0500
From: William Allen Simpson

[ snip ]

IANAL, but VPNs look like trouble waiting to happen. And then
there's promiscuous mode...

Eddy

William Allen Simpson wrote:

It outlaws all encryption, and all remailers.

I'm missing where it outlaws these? In fact, it outlaws others (say your ISP) from decryping your encrypted data.

It outlaws connecting any device "without the express authority of the telecommunications service provider". No NATs. No wireless.

Not true. An ISP can choose to allow NAT and wireless or not allow it. This is the ISPs choice. The law is designed to protect the ISPs rights from existing technology so that the ISP can bill appropriately according to what service is being used. This does not mean that every ISP will not allow NAT.

(Some DSL/cable companies try to charge per machine, and record the machine address of the devices connected.)

And to use NAT to circumvent this should be illegal. It is theft of service. The ISP has the right to setup a business model and sell as it wishes. Technology has allowed ways to bypass or steal extra service. This law now protects the ISP. There will be some ISPs that continue to allow and support NAT.

It outlaws configuring your ISDN to be a voice device, and then sending data over the device.

(Most folks around here are willing to settle for 56Kbps + 56Kbps -- fixed fee -- instead of 64Kbps + 64Kbps -- per minute.)

Isn't ISDN regulated still?

It outlaws configuring a wire pair purchased as a burglar alarm circuit, and then using it as DSL.

The alarm circuit trick was getting caught onto and stopped as it was. It was only a matter of time before laws/regulations stopped this.

It outlaws using Linux/*BSD for reading DVDs and a host of other things.

How does it outlaw this?

Also, "reprogramming" a device (and software and computer chips are explicitly included) "that is capable of facilitating the interception, transmission, retransmission, decryption, acquisition, or reception of any telecommunications, transmissions, signals, or services" would seem to prohibit mod'ing of M$ Xboxen.

Correct me if I'm wrong, but the DCMA(sp?) already performed this function. Circumventing copyright protection has always been deamed illegal and they are just now implementing laws to help protect it from technology.

Heck, it is possible to read this Act to prohibit changing your operating system from M$ to Linux.

It would be a far stretch, and I do not feel that it would hold up in court as applying.

One thing to note, a telecommunications service provider is defined in such a way that anyone running a network is included. This means that running a business or home network protects your network. If in the nature of security, you have encrypted tunnels to other offices, those tunnels are protected from decryption by this Act. It is also important to note that NAT and tunnelling does not hide the source and destination in such scenario's, as the NAT IP is the correct customer and the network behind that is the Service Provider that owns that network. HOWEVER, it does make the abuse of an open proxy illegal.

I will conceed that the Act is poorly written and is subject to abuse. It should have been worded more clearly concerning interconnected networks and jurisdiction. The definitions shouldn't have any ambiguity to them. The act also presumes that the service provider has declared specifically what can and cannot be done with the service. As most existing contracts show that this is not the case, there is room for the service providers to abuse this Act in their favor.

Jack Bates
Network Engineer
BrightNet Oklahoma

Date: Sat, 29 Mar 2003 23:22:11 -0600
From: Jack Bates

[ snip ]

One thing to note, a telecommunications service provider is defined in
such a way that anyone running a network is included. This means that
running a business or home network protects your network. If in the
nature of security, you have encrypted tunnels to other offices, those
tunnels are protected from decryption by this Act. It is also important

I agree with your first points, which I snipped, but could a VPN
not be considered concealing origin? I think that's a _bad_
classification, but am playing devil's advocate, here...

Although I suppose if the company using the VPN is the comms
provider, then they'd not be concealing the origin from
themselves.

I still wonder about promiscuous mode.

IANAL. *shrug*

Eddy

No, it is not theft of service. It doesn't cost an ISP more for me to
have 20 machines than it does if I have just 1. Nor does it cost them if
I use NAT.

What might cost them more is if I use more bandwidth or use additional IP
addresses (for which there may be an associated expense). But a user with
one machine can potentially use as much or more bandwidth than a user with
20. There simply isn't a decent correlation between number of machines
and amount of service consumed. Even so, an ISP doesn't have a legitimate
complaint against users that are simply consuming the bandwidth that the
ISP advertised as being part of their service.

Tony Rall

So if I own an "all you can eat" restaurant you would say that I should
allow you and your whole family to eat for the price of one person as
long as only one of your was in the restaurant at any one time?

Of course you'll say your family of vegetarian dieters eats less food
than some truck driver I had in last week so thats okay.

The ISP is able to charge the low price for "flat rate" Internet because
it knows there is only one computer in the house and it's (99% of the
time) doing normal web browsing and email type stuff for only a limited
amount of time each day (p2p has screwed up the economics a bit).

If you price your product on the assumption that the average customer only
uses 5% of their bandwidth then it doesn't take many customers using 50%
or 100% of it to really spoil your economics.

Banning NAT and servers is a simple way to filter out most of the "power
users" without scaring the "mom and pop" customers with bandwidth and
download quotas.

Hardly. Banning NAT doesn't filter out anyone. There are plenty of "power
users" without NAT.

Instead of using dishonest marketing, just explicitly ban bandwidth hog
stuff like p2p services up front...

-Dan

If you price your product on the assumption that the average customer only
uses 5% of their bandwidth then it doesn't take many customers using 50%
or 100% of it to really spoil your economics.

Turn this assumption a part of the service: place a monthly transfer limit
of some gigabytes. This will also scare p2p heavy-users and leave you with
the high-margin low-usage customers.

Banning NAT and servers is a simple way to filter out most of the "power
users" without scaring the "mom and pop" customers with bandwidth and
download quotas.

NAT doesn't always imply simultaneous users. Many people use it for
security, I personally use for a 2-computer network with my desktop and my
notebook, but never use both at the same time...

Rubens

> No, it is not theft of service. It doesn't cost an ISP more for me to
> have 20 machines than it does if I have just 1. Nor does it cost them if
> I use NAT.
>
> What might cost them more is if I use more bandwidth or use additional IP
> addresses (for which there may be an associated expense). But a user with
> one machine can potentially use as much or more bandwidth than a user with
> 20. There simply isn't a decent correlation between number of machines
> and amount of service consumed. Even so, an ISP doesn't have a legitimate
> complaint against users that are simply consuming the bandwidth that the
> ISP advertised as being part of their service.

So if I own an "all you can eat" restaurant you would say that I should
allow you and your whole family to eat for the price of one person as
long as only one of your was in the restaurant at any one time?

Ahh! But you see it ain't "all you can eat" or rather, "use as much
bandwidth as you want as we don't throttle you at all." I recently signed
up for Comcast and had it installed. I get some really nice download
speeds, would be surprised if the download has a cap on it. However,
upload is definetly throttled, stops at about 250 kbps.

So that is what I am paying for. It's not limitless. I payed for a big
mac and a drink with free refills, If I share that with my room mate, I am
not stealing from them.

-Mike

Jack Bates wrote:

William Allen Simpson wrote:
> It outlaws all encryption, and all remailers.

I'm missing where it outlaws these? In fact, it outlaws others (say your
ISP) from decryping your encrypted data.

That is not correct.

I'm very sensitive to these issues. As those of you that have been
around for awhile may recall, I was investigated by the FBI for "treason"
merely for *WRITING* the specification for PPP CHAP and discussing it at
the IETF (under Bush I). I don't expect it to be different for Bush II.

As Larry Blunk points out, to "possess" an encryption device is a felony!

Jack, you need to actually look at the text of the Act:

    (1) A person shall not assemble, develop, manufacture, possess,
    deliver, offer to deliver, or advertise an unlawful
    telecommunications access device or assemble, develop, manufacture,
    possess, deliver, offer to deliver, or advertise a
    telecommunications device intending to use those devices or to allow
    the devices to be used to do any of the following or knowing or
    having reason to know that the devices are intended to be used to do
    any of the following:

    (a) ...

    (b) Conceal the existence or place of origin or destination of any
    telecommunications service.

[no encryption, no steganography, no remailers, no NAT, no tunnels]
[no Kerberos, no SSH, no IPSec, no SMTPTLS]

    (c) To receive, disrupt, decrypt, transmit, retransmit, acquire,
    intercept, or facilitate the receipt, disruption, decryption,
    transmission, retransmission, acquisition, or interception of any
    telecommunications service without the express authority or actual
    consent of the telecommunications service provider.

[no NAT, no wireless, no sniffers, no redirects, no war driving, ...]

    (2) A person shall not modify, alter, program, or reprogram a
    telecommunications access device for the purposes described in
    subsection (1).

[no research, no mod'ing]

    (3) A person shall not deliver, offer to deliver, or advertise
    plans, written instructions, or materials for ...

[no technical papers detailed enough to matter]

    (4) A person who violates subsection (1), (2), or (3) is guilty of a
    felony punishable by imprisonment for not more than 4 years or a
    fine of not more than $2,000.00, or both. All fines shall be imposed
    for each unlawful telecommunications access device or
    telecommunications access device involved in the offense. Each
    unlawful telecommunications access device or telecommunications
    access device is considered a separate violation.

[big penalties]

    (a) �Telecommunications� and �telecommunications service� mean any
    service lawfully provided for a charge or compensation to facilitate
    the origination, transmission, retransmission, emission, or
    reception of signs, data, images, signals, writings, sounds, or
    other intelligence or equivalence of intelligence of any nature over
    any telecommunications system by any method, including, but not
    limited to, electronic, electromagnetic, magnetic, optical,
    photo-optical, digital, or analog technologies.

[everything from a DVD, to the network, to the monitor, to t-shirts]

Mike Lyon wrote:

Ahh! But you see it ain't "all you can eat" or rather, "use as much bandwidth as you want as we don't throttle you at all." I recently signed up for Comcast and had it installed. I get some really nice download speeds, would be surprised if the download has a cap on it. However, upload is definetly throttled, stops at about 250 kbps.

Please see Saphire worm. Then tell me that an ISP doesn't oversell services. The fact is, the entire Internet is oversold. If everyone did their full capacity, it would crash. DSL is also based on this assumption. Most of the providers selling DSL at the cheap rates are actually losing money and subsidising it with their other revenues. What right do we have to say that one business model is better than another, and circumvent the business model? Thus there are laws being made to help protect the business models. This is what happens when people take advantage of something because they *can*. Personally, I don't like the limit by machine approach. On the other hand, I give out private addresses and NAT all my users. Real IP addresses cost the same amount that I pay for the bandwidth (and it's expensive way out in the sticks). We also run at a higher rate than SWBell one town over. Why? They are subsidising the costs; we aren't. When it's cheaper to run bandwidth 100 miles into the country, then we'll lower our rates to reflect based on the usage of the users. Since they p2p and feel they will use 100% all the time, the price stays high. We don't care how much they complain. We're in the profit business, not filing chapter 11 like our competitors.

Can't NAT-like devices be just as viable as a security device as well?
Is the ISP willing to take responsiblity for security breaches on my home
network because they banned my firewall? From a
political/public-perception standpoint, treat those ISPs that are
complaining about NAT as being soft on security and encouraging hacking.
In todays paranoid political climate, there might even be some milage
here.

I have Charter pipeline in Madison, WI, and they've been very open about
people using NAT devices to the point that they are recommended in some
cases as security devices as well as being sold by Charter's
professional-services group as inexpensive firewalls. About six months
ago I got a 1-page flier from Charter offering a 4-port Linksys and an
on-site installation.

Since a "NAT device" could include virtually any operating system and any
PC with two or more ethernet ports, it might be better to push the
"firewall" aspects of them rather than try to defend or justify the
MANY-to-1 routing aspects of NAT.

Jamie Lawrence wrote:

"There has grown up in the minds of certain groups in this country the
notion that because a man or a corporation has made a profit out of the
public for a number of years, the government and the courts are charged with the duty of guaranteeing such profit in the future, even in the face
of changing circumstances and contrary public interest. This strange doctrine is not supported by statute nor common law. Neither individuals
nor corporations have any right to come into court and ask that the clock
of history be stopped, or turned back, for their private benefit."
   - Robert Heinlein, "Life Line", 1939.

It's not a matter of guaranteeing profit. It is a matter of stopping theft. Please see the old laws protecting telephone and cable companies. Now they asked it to be extended to help protect ISPs.

The only part I do have an issue with in the Act is the fact that it limits the use of NAT devices where an ISP does not allow them. However, I do not construe this as a serious problem, as people using the service shouldn't use such technologies in the first place. They are knowingly bypassing the terms of service. As for the other providers, the Act doesn't apply.

While many whine and complain, I particularly like the protections on the copyrights, including the X-box. Most people didn't have the knowledge to make blank cartriges in the olds days and download the code to the cartriges to play a game. Everyone can download software and burn a CD. Smack in a mod chip and you're good to go. I may not like M$, but I have to respect their copyrights.

-Jack

[snip]

You can be assured that what ever references to "trick or acrobatic flying" will be challenged by the AOPA (aopa.org) . Those rules/laws are the domain of the FAA.

Sounds like too long of a winter and it froze their brains.

M

Jamie Lawrence wrote:

Perhaps we'll have to agree to disagree, if you think those where good
laws.

I don't necessarily think they are good laws. What it comes down to is this. A person will do whatever they think they can get away with if the punishment is only losing their service. I personally think that ISPs should write in penalty costs for breaking TOS and AUP and set them high enough to scare people into not breaking them. However, history has shown that we instead make it a criminal offense and use that as the way to scare people into doing what is right to begin with.

Extending this to criminalizing devices capable of doing NAT, or port forwarding, or (seemingly, in some cases) encryption, or anonymous remailers, is stupid and wrong.

I do think that the Act was poorly written and have stated such. There is too much room for abuse of the Act. They tried to incorporate too many things under one umbrella. And ISP should not be grouped with telco or even cable. It has it's own sets of problems, and those problems should be handled uniquely. Combining legislation has never been a good deal.

If you need to criminalize what you should be enforcing by contract,
your business has a problem.

People, especially home users, don't fear breach of contract, especially if they feel they might get away with it. They do fear the law and going to jail; reguardless of if it's enforced heavily or not.

-Jack

If you price your product on the assumption that the average customer only
uses 5% of their bandwidth then it doesn't take many customers using 50%
or 100% of it to really spoil your economics

Personal Telco has some interesting opinions on this:

http://www.personaltelco.net/index.cgi/StealingBandwidth?action=highlight&va
lue=CategoryPhilosophy

(quoting)
"Traditional broadband providers cry foul when users take their cable modem
or DSL connections and beam them to friends, family and passsers-by through
Wi-Fi networks. "It constitutes a theft of service per our user agreement,"
says AT&T Broadband's Sarah Eder. But at least one very important observer
doesn't buy that. "I don't think it's stealing by any definition of law at
the moment," says FCC chairman Michael Powell. "The truth is, it's an
unintended use."

apl

* alambert@quickfire.org (Alex Lambert) [Sun 30 Mar 2003, 20:19 CEST]:

http://www.personaltelco.net/index.cgi/StealingBandwidth?action=highlight&va
lue=CategoryPhilosophy

(quoting)
"Traditional broadband providers cry foul when users take their cable modem
or DSL connections and beam them to friends, family and passsers-by through
Wi-Fi networks. "It constitutes a theft of service per our user agreement,"
says AT&T Broadband's Sarah Eder. But at least one very important observer
doesn't buy that. "I don't think it's stealing by any definition of law at
the moment," says FCC chairman Michael Powell. "The truth is, it's an
unintended use."

Right. How would you feel when your butcher started selling meat only
for personal use, and if you wanted to feed your family with it you
would have to buy the family meat package (which comes presliced for up
to three kids)?

And now you'd go to jail if you didn't cook it in separate frying pans.

  -- Niels (stretching analogies for fun and profit)