Why Legislators Need Technologists
A rather bizarre bill has been introduced in the Michigan legislature, the Anticorruption of Public Morals Act, H.B. 4938. While there’s a lot to object to in the bill, I’ll leave the broader criticisms to others and focus on some technology issues.
The goal of the bill is specified in §3(1): “A commercial entity, public institution, private actor, or internet platform shall not knowingly distribute or make available prohibited material”—basically, their perception of pornography—“via the internet to any individual in this state.” Even legislators know that location-spoofing is easy, so §3(5) bars the sale of “circumvention tools”—and that’s where the trouble starts.
§2(a) defines “circumvention tools” as “any software, hardware, or service designed to bypass internet filtering mechanisms or content restrictions including virtual private networks, proxy servers, and encrypted tunneling methods to evade content restrictions.” “Designed to bypass” and “to evade” are doing a lot of work here, but the technologies named are most certainly vital and multi-use. Virtual private networks (VPNs), for example, go back at least to SP3, a US government design intended to protect communications on the Internet. I wrote about a mechanism to create VPNs in 1990. Most important, the IETF defined some VPN protocols in IPsec (1998). None of these were designed to “bypass” filtering or “evade” content restrictions, because there were no such things back then. Rather, they were designed to provide broad traffic protection and to extend corporate networks beyond the firewall.
And tunneling? It’s been part of ssh since its beginning, in 1996. Again, there was no conception of evading content restrictions.
VPNs and ssh tunnels are vital business tools—but this bill requires Michigan ISPs to “actively monitor and block known circumvention tools” (§3(3)). Not only ordinary businesses use them, ISPs use them to manage their infrastructure. This bill might outlaw secure operation of any ISP in the state, to say nothing of business travelers to Michigan.
Can this detection even be done? Well, if you use standard port and protocol numbers, you can detect ssh and IPsec, but there’s no requirement to do either. This implies using deep packet inspection on all traffic, which is hideously expensive and trivial to bypass.
It gets worse. §4, which applies to any “internet platform, website, or social media service that is accessible by a user in this state”, imposes a pile of restrictions. “Any website… acessible by a user in this state” is basically the entire Internet—but every such site has to comply. The Michigan-specific filtering has to be applied “uniformly across all users,” presumably including those not in Michigan. Everyone has to implement content moderation tools, except that automated ones don’t work and human ones don’t scale. And of course, every web site on the planet has to file an annual report with the Michigan state police. I wonder how many languages the state police can read—the bill doesn’t seem to require that the reports be in English…
In a minor vein, §2(f)(ii)(A) exempts “peer-reviewed academic content”. I suspect that the people behind this bill have never heard of, e.g., arxiv.org, a a preprint site. Most (but not all!) content there is intended for eventual peer review, but it hasn’t been peer-reviewed yet. Subsection (B) exempts “material to be used for scientific and medical research or instruction”, but not all material there is intended to further future scientific research.
In short: even if getting “pornography” were a good idea, this bill is a horrible way to go about it.
