Peter Coffee rues the dearth of common sense in cyber-legislation.
When eight states propose laws that could make it illegal to use a network firewall, it would be nice if working IT professionals could laugh it off. It would be nice if those who know better could assume that laws like these would fail as quickly and obviously as a measure that seeks to repeal the law of gravity.
Unfortunately, Ive seen little in the history of cyber-law to inspire much hope that legislation will converge with common sensenot, that is, unless those who understand IT operations start taking a more active role in writing the rules.
Texas, Massachusetts, South Carolina, Florida, Georgia, Alaska, Tennessee and Colorado propose to forbid the use of any technology that conceals "the existence or place of origin or destination of any communication." Such as, for example, a router? Or a network address translator? Or any of several other basic tools of Internet connection and management?
From what Ive seen, most legislative bodies routinely fail to understand the requirements of practical system administration and their difference from malicious mischief. The resulting laws can criminalize everyday practices.
For example, suppose I drafted an attempt at an anti-hacking law that made it a crime "to alter or remove information resident on a computer system without the permission of the person who originated that information"? That sounds good, until you realize that a system administrator could no longer purge the e-mail files of an employee who had left the company unless that former employee gave consent. In fact, that language is so badly drawn that I technically could not delete unsolicited commercial e-mail messages unless they contained a clause allowing me to do so.
Before you object that no competent body would write a law that could be interpreted in this way, consider this clause from the Council of Europe Convention on Cybercrime, passed in November 2001 and still binding on signatory nations: "Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data."
Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.