Yesterday I was forced to take a break, and I came across an article pointed at this piece of legislation. Some of the intent is good, where Senator Cornyn and Rep. Lamar Smith want to prevent child pornography and other contraband from circulating on the internet. I don’t necessarily appreciate for “other purposes” part, but the focus of this post is on Section 5 (below). I must note I am also not a lawyer, and I do not know how courts or laws address very technical cases that violate contraband laws. But I am reminded of a case a few years ago, that was horribly misguided and did more injustice than delivered it [1,2]. These technical oversights by government put innocent people at risk, which is the purpose for this post.

SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.

Section 2703 of title 18, United States Code, is amended by adding at the end the following:

`(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’

This section/ amendment essentially makes it a requirement for every hot spot, free WiFi cafe, or open network to register people who use their network. There are other people who are adversely affected, but small business owners are at the forethought, because I also have a small business not to mention a home network which visitors use. Generally speaking, small businesses do not have this capability to register, monitor, and record every person who uses their network, let alone keep and maintain the data for an extended period of time.

As an engineer, I often weigh the benfits and risks of anything, and below are set of arguments/ideas/facts that I think this amendment does not consider:

1. These controls are difficult to maintain even for the most vetted and seasoned organizations and enterprises. Companies make a significant amount of money and/or organizations expend a large number of man-hours building, deploying, and maintaining systems to perform the tasks described in Section 5. Considerations must be made for confidentiality and non-repudiation of the users, protection of the generated data, and ensuring the data’s integrity, not to mention manageability and availability of the system. Building, deploying, and maintaining these types of systems requires constant effort and vigilance.
2. Given the data must be retained for two years, there is no consideration about keeping its integrity. If the integrity of the data is corrupted then it is useless from a legal standpoint and even a technical standpoint. For example, some one could tamper with the information and make the guilty person look innocent and the innocent person look guilty. This retention should also cause citizens greater concern. More information and data about an them is collected, and the likelihood of them being victims of identity theft increases significantly due to information disclosure or someone selling their information.
3. Law enforcement may or may not have the capability to sift through all this information, but it really comes down to trying to find a needle in a haystack. Even if they can put the person at the location, they have to prove that the person was doing evil and they have to prove all the traffic originated from the bad guys machine. In a probable scenario, the bad guy can steal an innocent persons network identity and use that to commit the crime. Now the innocent person can be implicated in the crime. Another viable attack is simply exploiting protocols to send and receive unregistered or covert to and from the internet. In this case, there is no real evidence that associates the bad guy to the traffic, except the circumstance that they were there at that particular time, and even still the bad guy could use an unattended device to transmit the data, leave, and then come back at a later time to pick the device up.
4. Bad guys can run their own email and internet services, which can elude law enforcement.
5. If the bad guys use encryption, it will be nearly impossible for law enforcement to even look at the traffic. This means the content of the traffic may not be discovered, and circumstantial relationships must be drawn between the contraband server and the bad user. The relationship might also break down if the user uses one or more proxy servers scattered throughout the internet. This means the bad guy does not make a direct connection to the server or service that has the contraband.
6. I mentioned earlier that there is are technical means to indirectly connect on host to another. One such project is the is The Onion Router (tor) Project. HD Moore developed a method to stop file sharing, and in-turn sharing of contraband, over tor [3,4], but this can again be circumvented by turning off javascript in the browser as described in [1].
7. As I mentioned in a previous argument, it is not difficult for a person(s) to adjust any addressing on their computer. They can simply adjust their MAC address each time they connect to the network, change their IP address manually, or steal (or borrow) credentials from someone else. While there are protocols and technical controls out in the public to prevent most of this activity, these solutions can be technically challenging for the average business owner and if they are done incorrectly, the net result is the same if it was done incorrectly.
8. My final point is the fact that this amendment creates and maintains an over abundance of information in the world about us. I do not subscribe to this universal collection just for the purpose of catching a few bad people. There is an incredible effort and requirement needed to protect this information, and I do not find it fair to place the burden on neighbors or small businesses to record every bit of data someone generates on their network, as this law could be used to do.

There are a number of other arguments and technologies that makes this type of data collection worthless. This amendment really does not solve the problem at hand nor does it make it easier to catch a criminal. I am not trying to degrade the politicians, their character or that thereof of their constituents, but there truly is a disconnect and a misunderstanding about the true technical, economic, and social impact of this amendment and its real affect on solving the problem. In reality, this legislation is bad and makes more problems for the wrong people than it hurts those who are doing the wrong. I am not OK with the bad guys doing their evil, but based on my technical knowledge, I object to the amendment because it adds more security, privacy, and economic concerns/problems than it really looks to solve.

So I wrote a letter:

Senator Cornyn,

I have reviewed your proposed amendment to Section 2703 of title 18 in the proposed legislation S 436, Section 5, and I believe this amendment will not make it possible to prevent the exploitation of children, and it will become a burden on small businesses and providers, as well as impede on civil liberties of the common citizen.

First off, I am an internet security professional, and I have identified at least 4 fallable assumptions that make this amendment moot and a burden. First, child pornographers can run their own servers, which means they do not need to use content providers to traffic information. Second, the data can be encrypted, so not even the internet service provider can read or monitor the traffic. Next, if a person so wishes anonymous access to the internet, they can visit a business offering free wifi, where they can anonymize there traffic in a number of technical ways. Finally, any person who accesses these small businesses may provide a false set of credentials to access the open network. In addition, the amendment will create an overabundance of information and data which may be invalidated in a court of law, due to improper storage and handling.

This amendment will only expend tax payers resources with little or no return. Please reconsider your support for this bill.

Respectfully,

Adam Pridgen, CISSP, M.S. Engineering

I leave the “other purposes” clause for someone else to debate.

Bibliography:
1. G. Craciun. “Malware Ruins Teacher’s Life Ever wondered how malware can endanger your life? (2009).” Softpedia [Online], Available: http://news.softpedia.com/news/Malware-Ruins-Teacher-039-s-Life-89763.shtml.
2. L. Beyerstien. “Connecticut Teacher Facing Jail for Porno Popups (2009).” The Huffington Post [Online], Available: http://www.huffingtonpost.com/lindsay-beyerstein/connecticut-teacher-facin_b_39384.html
3. R. Lemos, “Tor Hack Proposed to Catch Criminals (2009)”. Security Focus [Online]. Available, http://www.securityfocus.com/news/11447?ref=rss.
4. HD. Moor, Torment Project Code Repository (2009). Metasploit [Online], Avaliable, http://metasploit.com/svn/torment/trunk/.