Corporations are mad as hell, and they’re not going to take it anymore. At least that’s the gist of the recently issued, less-than-mellifluously titled “Report of the Commission on the Theft of American Intellectual Property.” Compiled by former Republican presidential hopeful Jon M. Hunstman; Dennis C. Blair, a former Director of National Intelligence and Commander in Chief of the US Pacific Command; and others from the “private sector, public service in national security and foreign affairs, academe, and politics,” the report calls IP theft “one of the most pressing issues of economic and national security facing our country.”
Usually when terms like “intellectual property theft” and “copyright enforcement” are bandied about they relate to the entertainment industry’s dismay over unfettered piracy. So it’s not surprising that one portion of the report has received special attention. Buried toward the end, in the chapter titled “Cyber Solutions,” are “recommendations” for dealing with the rampant theft of intellectual property:
Software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.
Cory Doctorow over at Boingboing interpreted this to mean that the committee was endorsing the use of malware “to punish people believed to be copying illegally.” The report, which Doctorow calls “bonkers,” proposes “that software would be loaded on computers that would somehow figure out if you were a pirate, and if you were, it would lock your computer up and take all your files hostage until you call the police and confess your crime. This is the mechanism that crooks use when they deploy ransomware.”
Doctorow goes on to say that “It’s just more evidence that copyright enforcers’ network strategies are indistinguishable from those used by dictators and criminals.”
Strong words indeed. But Doctorow isn’t the only to view the committee’s recommendations as a potential assault on consumers. Blogger Lauren Weinstein claimed after reading that passage that he almost did a “spit-take” onto her screens while sipping his morning coffee and wondered if the committee that prepared the report had been “smoking ‘funny cigarettes’ during its drafting.” Like Doctorow, he points out that this offensive tactic mimics how some malware programs work: Suddenly you receive a warning on your computer that accuses you of possessing some form of illicit material (usually porn or material that violates copyright) and demands that you contact an address for more information or pay an immediate fine. Of course, it’s all a scam. If you click on the link you’ll likely download more malware.
While I think Doctorow and Weinstein offer a fair interpretation of what the report says, I don’t think that’s what its drafters intended to say, which is, of course, the fault of the committee. The vast majority of the report deals with foreign economic espionage, notably at the hands of China, which treats the United States as one giant R&D lab, stealing trade secrets, technical know how, software code, and the like. The report’s authors estimate that China comprises roughly 70 percent of all intellectual property thefts, while 70 percent of the value of publicly traded corporations is “intangible assets” – in other words, IP. In one striking case reported by Bloomberg last year, a Chinese customer stole the source code for wind-energy software from American Superconductor Corporation, which as a result lost 90 percent of its stock value.
The report offers a bunch of suggestions for dealing with this problem, few of which will ever be implemented because of the leverage China has over the US. But the one that has gotten a lot of the media attention is the recommendation that calls for “necessary changes in the law with a changing technical environment.”
While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.
While the spy novelist in me appreciates the scenario, can you imagine the fallout that would occur if American corporations hit back at Chinese companies? It could lead to corporate war irrespective of national boundaries and outside the control of governments. Sony once installed anti-piracy software on compact discs in 2005 to restrict the devices they could play on, limit the number of copies that could be made, and eavesdrop on consumers’ listening habits so the company could send them marketing messages. That led to a major brouhaha, public shame for Sony, and the attention of the Federal Trade Commission, which labeled Sony’s draconian digital rights management application a security risk. Throw in geopolitics, foreign trade, and trigger-happy militaries, and you can imagine the kind of mess that could ensue.
The problem is that the report walks back from these cyber-militaristic approaches after they are introduced. In a later chapter the report says that if the loss of IP at current levels, then laws should be changed so that hackers could be, in essence, hacked by their targets, which would raise the “cost to IP thieves” and potentially deter them in the first place. Then the committee says it does not yet endorse this.
In the end, it’s hard to divine exactly what the authors are saying. But at least they don’t have to worry about people illicitly copying their report, sharing it willy-nilly and violating their copyright. Because not many people want to read it.