• United States



TPP will outlaw security research done without permission, lead to destroyed devices

Oct 11, 20154 mins
Data and Information SecuritySecurity

The TPP could lead to seized and destroyed devices, outlaw security research done without permission, and pave the way to perpetual insecurity for the IoT ecosystem.

If you don’t have a DVD or Blu-ray ripper and you want one, then you should consider buying one immediately because tools that assist in the circumvention of DRM could be banned if the Trans-Pacific Partnership (TPP) is ratified. Of course if the finalized TPP text, leaked by WikiLeaks, is ratified, then you could be criminally liable if you circumvent Digital Rights Management. While a worse-case scenario might involve copyright infringement as the TPP sets a copyright term to life plus 70 years, the judicial authorities could also “order the destruction of devices and products found to be involved in the prohibited activity.” The TPP is “all we feared,” according to the EFF.

Although ripping a Blu-ray is a tame example of circumventing DRM which could be banned under TPP, the EFF reported, “The biggest overall defeat for users is the extension of the copyright term to life plus 70 years.” When combining the TPP’s rules regarding copyright infringement with a ban on circumventing DRM, the EFF warned, “The odd effect of this is that someone tinkering with a file or device that contains a copyrighted work can be made liable (criminally so, if wilfullness and a commercial motive can be shown), for doing so even when no copyright infringement is committed.”

Alongside the prohibition on circumvention of DRM is a similar prohibition on the removal of rights management information, with equivalent civil and criminal penalties. Since this offense is, once again, independent of the infringement of copyright, it could implicate a user who crops out an identifying watermark from an image, even if they are using that image for fair use purposes and even if they otherwise provide attribution of the original author by some other means.

The distribution of devices for decrypting encrypted satellite and cable signals is also separately proscribed, posing a further hazard to hackers wishing to experiment with or to repurpose broadcast media. 

“One of the scariest parts of the TPP,” wrote the EFF, “is that not only can you be made liable to fines and criminal penalties, but that any materials and implements used in the creation of infringing copies can also be destroyed. The same applies to devices and products used for circumventing DRM or removing rights management information…This could lead to a family’s home computer becoming seized simply because of its use in sharing files online, or for ripping Blu-Ray movies to a media center.”

Years ago, the EFF warned “hackers, makers and tinkerers” just how badly the TPP could hurt them. Jeremy Malcolm, EFF’s senior global policy analyst, told Motherboard’s Jordan Pearson:

“As a result, those who are tinkering with their own legally-purchased digital products will be at risk not only of financial penalties, but also having their equipment seized and perhaps destroyed.”

President Obama is proud of the TPP; if ratified, it “would be a legacy-defining victory.” According to the White House TPP fact sheet, the TPP “protects digital freedom and preserves an open Internet.” It supposedly “includes standards to protect digital freedom, including the free flow of information across borders – ensuring that Internet users can store, access, and move their data freely,” yet the TPP also suggests offering “legal incentives” to ISPs in order for ISPs to act as copyright enforcers.

Regarding overall security, if the TPP is ratified then insecurity wins. If ratified, then the TPP could leave IoT “in a state of chronic device ecosystem insecurity.” Vivek Krishnamurthy, a cyberlaw instructor at the Berkman Center for Internet and Society at Harvard, told Motherboard, “The TPP is going to prohibit people from checking these devices to see if they work as advertised.” Before checking if a device works, hackers, tinkers, makers and anyone else will “have to get permission from someone to do that research.”

Security researchers who find flaws without first having permission to hack a device could have their devices destroyed or worse such as if a found vulnerability were related to “unauthorized, willful access to a trade secret held in a computer system.” The EFF wrote:

There is no evident explanation for the differential treatment given to trade secrets accessed or misappropriated by means of a computer system, as opposed to by other means; but it is no surprise to find the U.S. pushing such a technophobic provision, which mirrors equivalent provisions of U.S. law that have been used to persecute hackers for offenses that would otherwise have been considered much more minor.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.