markdown
----- authorsNote: The views expressed in this document are my personal views and do not represent those of my colleagues, friends or any organization with which I am affiliated. title: Why anti-money laundering laws and poorly designed copyright laws are similar and should be revised abstract: Abstract: Intentionally or unintentionally, poorly crafted or outdated laws and technical standards threaten to undermine security, privacy and the viability of our most promising new technologies and networks, such as Bitcoin and Blockchain. We should vigilantly be reviewing and revising laws and standards for the public good and working to prevent the creation of fragile and cumbersome systems designed to comply with these poorly crafted or outdated laws. In this post, I discuss the Digital Millennium Copyright Act’s Anti-Circumvention provision, Digital Rights Management, Anti-Money Laundering Law, Know Your Customer Laws and security backdoors. author: joi_ito name: Joichi Ito ----- The Internet’s founding principles -- openness, unbundling, diversity, open standards -- made it robust; a force for democratizing access. That access created an explosion of innovation far beyond anyone’s imagination. The Internet’s openness is its strength. It is a “stupid network” [[{"pluginType":"cite","reference":{"title":"Rise of the Stupid Network","url":"http://www.isen.com/stupid.html","journal":"Computer Telephony","pages":"16-26","year":"1997","_id":"56f4a130e44f4b3d003ada92","label":"stupidnetwork"}}]] whose internals are unbundled into layers of open standards that sandwich layers of diversity and innovation. Stupid networks focus on transporting bits from one place to another. That end-to-end principle allows for innovation at the network’s edges. By “unbundling” the transportation of bits from the provision of services, applications can be developed without permission. This is where we get the innovation in services that the network’s architects and managers never imagined or had to plan for. There is a perennial call to “make the network smart.” Someone always wants to optimize it, establish “quality of service” mechanisms -- for example, to make voice calls more reliable. But whenever you optimize the network for one thing, you risk de-optimizing it for another. It turns out that just adding more bandwidth has been cheaper than making the network “smarter” (This argument - that you fix networks by making them faster, not smarter - is key to understanding net neutrality). Policy makers grapple with the nature of the open Internet with varying results. Sometimes they’ll pass rules or orders that “break” these principles or induce changes in the Internet’s architecture that work against its openness. These are usually the result of pressure from law enforcement or corporate capture in regulation and standards. Here are a few of the worst offenders: rules, laws and standards that do damage to the net’s architecture, exceeding any benefit they deliver for their champions: ### The Anti-Circumvention Provision in the Digital Millennium Copyright Act Sections 1201-1203 of the 1998 Digital Millennium Copyright Act (DMCA) make it illegal to circumvent locks that restrict access to copyrighted works regardless of whether you are actually breaking copyright law. This means that companies can use digital locks to hide content to which we should have legitimate access, and those locks have the force of law -- breaking them is a felony with a maximum sentence of five years in prison and a $500,000 fine. It doesn’t matter how legitimate your access is. You could be delving into your own car’s computers, your medical implant’s data-streams, or even content you created on devices you own yourself. (Farmers who gather soil-density surveys of their own fields while driving their tractors around them are not allowed to see those data unless they buy the data back from John Deere). This also inhibits research that focuses on whether the security of such systems is robust. The FDA, for example, has been trying to get medical device companies to allow hacking currently prevented by the DMCA. [[{"pluginType":"cite","reference":{"title":"FDA presses medical device makers to OK good faith hacking","url":"http://www.csmonitor.com/World/Passcode/2016/0210/FDA-presses-medical-device-makers-to-OK-good-faith-hacking","journal":"The Christian Science Monitor","year":"2016","_id":"56f4a130e44f4b3d003ada8b","label":"fdadmca"}}]] The Library of Congress has added car software to the list of exemptions from anti-circumvention [[{"pluginType":"cite","reference":{"title":"Soon It'll Be OK To Tinker With Your Car's Software After All","url":"http://www.npr.org/sections/alltechconsidered/2015/10/27/450572915/soon-itll-be-ok-to-tinker-with-your-cars-software-after-all","journal":"all tech considered","year":"2015","_id":"56f4a130e44f4b3d003ada8e","label":"loccar"}}]], but unfortunately it appears that "exemptions created under the rulemaking apply only to the act of circumvention, and not the development and distribution of circumvention tools." [[{"pluginType":"cite","reference":{"title":"What’s Missing from the Register’s Proposals","url":"http://www.recreatecoalition.org/whats-missing-from-the-registers-proposals/","year":"2015","publisher":"re:create","_id":"56f4a130e44f4b3d003ada8f","label":"missingloc"}}]] Tough luck for drivers and researchers who aren't also encryption experts. ### Digital Rights Management (DRM) & The World Wide Web Consortium (W3C) The W3C is currently standardizing DRM for use in HTML5, the next generation of core Web standards. By allowing DRM to be included in the standard, we “break” the architecture of the Internet by allowing companies to create places to store data and run code on your computer that you do not have access to and where breaking into code on your computer would constitute breaking the law. This is both a security risk and a fundamentally fragile system where vast amounts of content and information could be lost in the future as technologies evolve and companies change. While DRM has been touted as critical for business, it is clear that people are willing to pay for streaming and licensing of content without technical protections. If someone could actually afford to pay the fees currently charged by the streaming vendors, why would they go to an illegal pirating site to download something? Netflix, Apple Music, Spotify and Pandora would most likely not even notice, nor would their users, if they removed DRM technology. While it may not be in their interest to announce the death of DRM, it’s likely to die a quiet death. In the meantime, we will be left with a broken and fragile architecture, as well as browsers whose internals are off-limits to security researchers, who face brutal punishment for trying to determine whether your gateway to the Internet is secure enough to rely on. ### Anti-Money Laundering Law (AML) and Know Your Customer Laws (KYC) There are many laws that have been created to prevent money laundering - crimes that disguise the original ownership and control of the proceeds of criminal conduct by making such proceeds appear to have derived from a legitimate source. One of the reasons these laws exist is to track terrorists and criminals by monitoring money flows. Laws to prevent money laundering create a requirement to report transactions above a threshold (usually $10,000), to report assets held anywhere in the world in your tax returns and for banks to “know your customer” and keep detailed records of who their customers are and what they are doing. Breaking these regulatory requirements is illegal. Like the anti-circumvention law, while you may not actually be laundering money, breaking these anti-money laundering monitoring systems constitutes a crime. The personal information and transaction details are collected are stored in databases, and this presents a substantial risk to society. Criminal and foreign government hackers have over and over again hacked the most protected of government databases, such as the personal information of US government employees with security clearance in the OPM database. [[{"pluginType":"cite","reference":{"title":"Hacks of OPM databases compromised 22.1 million people, federal authorities say","url":"https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/","journal":"The Washington Post","year":"2015","_id":"56f4a130e44f4b3d003ada90","label":"opm"}}]] In addition, these laws require banks and financial institutions to collect this information and structure their systems to allow this information to be collected, also making these systems vulnerable to attack. While access to this information can sometimes be useful in investigations, almost all of the sophisticated technology to “catch the bad guys” doesn’t require access to the content of the messages, but rather only access to the metadata. This is evident in modern Signal Intelligence (SIGINT: the collection of data ranging from satellite communication to Internet packets), where intelligence and law enforcement agencies rely mostly on machine learning (artificial intelligence) and pattern recognition extracted from metadata, rather than from the content of the messages. (Snowden released a document revealing the state of the art of goverment SIGINT. [[{"pluginType":"cite","reference":{"title":"HIMR Data Mining Research Problem Book - Redacted","url":"https://www.documentcloud.org/documents/2702948-Problem-Book-Redacted.html","year":"2011","note":"UK Top Secret STRAP1 COMINT released by Edward Snowden","_id":"56f4a130e44f4b3d003ada8c","label":"himrdatamining"}}]] ) We are already seeing both research and practice in conducting SIGINT on the blockchain. [[{"pluginType":"cite","reference":{"title":"BitIodine: Extracting Intelligence from the Bitcoin Network","url":"https://miki.it/articles/papers/#bitiodine","year":"2014","note":"First presented at Hack In The Box: Kuala Lumpur - October 15, 2014","_id":"56f4a130e44f4b3d003ada88","label":"BitIodine"}}]] With Bitcoin and Blockchain technology in “vanilla” form, the ability to perform SIGINT is actually HIGHER than traditional more closed systems. AML and KYC laws are often impossible to implement while balancing the privacy of the users because the Blockchain is potentially visible to the whole world and not under the control of the selected entities. In fact, I believe that we must not only prevent the collection of the same kind of information in traditional financial system, but we must also discuss developing technologies to prevent privacy risks from the analysis of the Blockchain. If we are to deploy Blockchain broadly, we will have to look at both AML and KYC laws and upgrading them, taking into account the new technical architecture and environment and balancing the privacy and security concerns. The traditional financial system as we know it will undergo significant changes in the future, especially if we are headed in the direction of Bitcoin and Blockchain. We cannot expect the current AML and KYC laws to work in this new dimension: these laws were conceived for closed, highlyguarded systems and not for international, open, technical standards. For instance, the “travel” rule [[{"pluginType":"cite","reference":{"title":"Funds “Travel” Regulations:Questions & Answers","url":"https://www.fincen.gov/news_room/rp/advisory/html/advissu7.html","number":"Advisory: Issue 7","year":"1997","publisher":"United States Department of the Treasury, Financial Crimes Enforcement Network","_id":"56f4a130e44f4b3d003ada93","label":"travelrule"}}]] requires financial institutions to pass personal information to the next financial institution when transmitting funds. There is currently no secure or easy way to do this on the Blockchain. Just like with the Internet, weaknesses in networks like the Blockchain propagate to countries and regions where privacy risks to users could cause significant risks to human rights workers, journalists or anyone who questions authority. The conversation on creating new AML and KYC laws for new financial systems like Bitcoin and Blockchain needs to be a global one. ### iPhone/Backdoors While putting backdoors on all of our communications and/or banning encryption hasn’t been passed as a law, there is a precedent for what is going on with Apple and the FBI. In the 90s, as telephones were going from analog phone lines to digital, the FBI argued that it could become more difficult to serve wiretap orders on phone companies. Rather than connecting alligator clips to wires at the phone company’s offices, they would have request their own backdoor on the switches the phone companies used. When the government offered to pay the cost, the phone companies accepted the deal and the Communications Assistance for Law Enforcement Act (CALEA) was born. The FBI has built an extensive data collection system on top of this system. (One distinction is that CALEA is about backdoors on the transport platform, while the current iPhone debate is about encryption on the edges of the network.) While Silicon Valley appears to be resisting the government requests more than the telephone companies did, they are under constant pressure, and as the Snowden documents have revealed, it appears that many companies have provided these back doors. While I’m sure law enforcement officers would love to have even more tools for their investigations, we already have more tools to track and monitor the “bad guys” than at any time in history. The problem with backdoors is that they create a fragile infrastructure. So that even if you believe that we can trust the US government and US law enforcement, this creates a weakness that can be exploited by the “bad guys.” One great example of the backdoor that was recently found on the Juniper’s ScreenOS Software. [[{"pluginType":"cite","reference":{"title":"On the Juniper backdoor","url":"http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html","journal":"A Few Thoughts on Cryptographic Engineering","year":"2015","_id":"56f4a130e44f4b3d003ada8d","label":"juniper"}}]] It appears that the government may have created a backdoor on a key secure communication channel, but that someone else (unknown), put a backback door on it exploiting the backdoor to make it their own. In my view, the risk to everyone on the Internet caused by crippling security isn’t worth the incremental increase in the ability for any government to engage in legitimate surveillance. This point was made clear by the President’s Review Group on Intelligence, an expert group, which said that the US government should “fully support and not undermine efforts to create encryption standards; (2) make clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption.” [[{"pluginType":"cite","reference":{"title":"Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications","url":"http://hdl.handle.net/1721.1/97690","number":"MIT-CSAIL-TR-2015-026","year":"2015","_id":"56f4a130e44f4b3d003ada8a","label":"backdoors"}}]] These are just some examples of the “broken” laws and standards. If we do not work actively to prevent the passage of bad laws and standards, and fight to overturn or fix the existing ones, we will soon lose the Internet and all of the freedoms, innovation and opportunities that it represents. Some of my colleagues and members of the Internet community seem to believe that we can ignore regulators, or that regulators are fundamentally at odds with our best interest. I believe that we can’t ignore regulators because they will eventually pass laws that impact the scope and the way in which the technology we are developing is deployed. I also believe that many regulators do believe in trying to strike the right balance, and to engaging with the right people in the right context to help create technical standards and laws that actually work in the real world. We have had many successes such as a relatively unregulated early Internet, but we have also made some mistakes. For instance, were able to stop some mistakes like SOPA and PIPA [[{"pluginType":"cite","reference":{"title":"Protests against SOPA and PIPA","url":"https://en.wikipedia.org/wiki/Protests_against_SOPA_and_PIPA","journal":"Wikipedia","_id":"56f4a130e44f4b3d003ada91","label":"sopapipa"}}]] and also the Clipper Chip [[{"pluginType":"cite","reference":{"title":"Clipper chip","url":"https://en.wikipedia.org/wiki/Clipper_chip","journal":"Wikipedia","_id":"56f4a130e44f4b3d003ada89","label":"Clipper"}}]], but many laws such as the anti-circumvention piece of the DMCA made it through. I believe that we need to vigilantly monitor the activity of lawmakers, regulators, standards bodies and industry groups and their activities. We must constantly review existing legal and regulatory frameworks as we develop new technologies to make sure that they make sense and not default to trying to apply existing laws and regulations to new technologies without careful review from first principles. One of the reasons I am involved in organizations such as [Creative Commons](http://creativecommons.org/) and am excited about helping to create the Digital Currency Initiative at MIT is because [I am interested in trying to avoid mistakes that could undermine the full potential of open and interoperable networks, such as the network of trust and value that Bitcoin and the Blockchain represent.](http://joi.ito.com/weblog/2016/02/22/my-view-on-the-.html) I hope to play a role in working with all parties, such as the users, the technical community, businesses and regulators in trying to develop and implement sustainable and healthy ecosystems that will not ruin the technology or our freedoms, while providing appropriate safeguards and structures for civil society, business and government.