24 April 2015
For the last few years, Congress has been debating an information-sharing bill to deal with the cybersecurity problem. Apart from the privacy issues—and they're serious—just sharing more information won't do much. A forthcoming column of mine in IEEE Security & Privacy magazine explains what Congress should do instead.
1 April 2015
A group of major ISPs and major content providers have agreed on a a mechanism to enforce copyright laws in the network. While full details have not yet been released, the basic scheme involves using previously designed IP flags to denote public domain content. That is, given general copyright principles, it is on average a shorter code path and hence more efficient to set the flag on exempt material.
Authorization is, of course, a crucial component to this scheme. The proper (and encrypted) license information will be added to the IP options field. The precise layout will depend on the operating system that created it—Windows, MacOS/iOS, GNU/Linux, and the various BSDs each have their own ways of enforcing copyright—but back-of-the-envelope calculations suggests that a 256-byte field will hold most license data. (The GNU/Linux option is especially complex, since it has to deal with copyleft and the GPL as well; validity of the license depends on the presence of a valid URL pointing to a source code repository.) To deal with the occasional longer field, though, the IP options length field will be expanded to two bytes. Briefly, packets without the public domain flag set that do not have a valid license option would be dropped or sent to a clearinghouse for monitoring.
It is clear that new border routers will be necessary to implement this scheme. Major router vendors have indicated that they will release appropriate products exactly one year from today's date.
Paying for deployment—routers, host changes, etc.—is problematic. One solution that has been proposed is to use the left-over funds appropriated by Congress to deploy CALEA. This has drawn some support from law enforcement agencies. One source who spoke on condition of anonymity noted that since terrorists and other subjects of wiretaps do not comply with copyright law, this scheme could also be used to identify them without additional bulk data collection. She also pointed out that the diversion option would work well to centralize wiretap collection, resulting in considerable cost savings.
When I learn more, I'll update this blog post—though that might not happen until this date next year.