IT Laws Defy Reality

Peter Coffee rues the dearth of common sense in cyber-legislation.

When eight states propose laws that could make it illegal to use a network firewall, it would be nice if working IT professionals could laugh it off. It would be nice if those who know better could assume that laws like these would fail as quickly and obviously as a measure that seeks to repeal the law of gravity.

Unfortunately, Ive seen little in the history of cyber-law to inspire much hope that legislation will converge with common sense—not, that is, unless those who understand IT operations start taking a more active role in writing the rules.

Texas, Massachusetts, South Carolina, Florida, Georgia, Alaska, Tennessee and Colorado propose to forbid the use of any technology that conceals "the existence or place of origin or destination of any communication." Such as, for example, a router? Or a network address translator? Or any of several other basic tools of Internet connection and management?

From what Ive seen, most legislative bodies routinely fail to understand the requirements of practical system administration and their difference from malicious mischief. The resulting laws can criminalize everyday practices.

For example, suppose I drafted an attempt at an anti-hacking law that made it a crime "to alter or remove information resident on a computer system without the permission of the person who originated that information"? That sounds good, until you realize that a system administrator could no longer purge the e-mail files of an employee who had left the company unless that former employee gave consent. In fact, that language is so badly drawn that I technically could not delete unsolicited commercial e-mail messages unless they contained a clause allowing me to do so.

Before you object that no competent body would write a law that could be interpreted in this way, consider this clause from the Council of Europe Convention on Cybercrime, passed in November 2001 and still binding on signatory nations: "Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data."