Like many people in the information security industry, the Electronic Frontier Foundation holds a special place in my heart. You’ll notice their fundraisers at DefCon and other conferences, and of course they are a well-known “lawyer of last resort” for many of the hackers who get caught with their hands in the cookie jar. But recently, in my opinion, they’ve lost their way, and instead of advocating for freedom, they’re advocating for a vague sense of “Internet security.”
Earlier this year, the EFF, which bills itself as the “first line of defense” for “our freedoms in the networked world” wrote a paper calling for the exact opposite - what amounts to government regulation of vulnerability and exploit sales. Of course the EFF doesn’t see it this way - according to its spokesmen, they’re only seeking to prevent the US government from dealing in zero-days, but to think this wouldn’t eventually result in industry-wide regulation is short-sighted.
I recommend this article to anyone who hasn’t yet read it and still supports the EFF. The EFF statement makes a number of arguments, but they can be boiled down to these main points:
- “Regardless of who the buyers are, any security researcher selling zero-day exploits to those who take advantage of vulnerabilities rather than fixing the software is responsible for making the Internet less secure for users.”
- “If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal.”
First, let’s be clear about what the EFF is saying: it wants the federal government to bar itself from 0day sales. While this isn’t directly regulating the 0day industry at large, it certainly has the potential to - after all, is it realistic to think the federal government would prohibit itself from dealing in 0days but allow everyone else to continue doing it? Then there’s the requisite legal questions - if 0days are barred (at least partially) or, worse, fully regulated doesn’t that open the door to regulating what type of code can be written and how it is distributed? That means sacrificing freedom for the sake of security, a stance I used to think EFF was opposed to, given its role in such cases as Bernstein v. DOJ.
I brought this up recently in the DailyDave mailing list, and received a response from the EFF, including one from the article’s co-author, Trevor Timm. In his response, Timm argues that the EFF article is “not about coders at all,” but rather about what the government does:
“The basic point we were trying to make is that Congress should look at the government's own actions and consider what it could do to improve security before passing sweeping new legislation to scale back everyone else's rights. That includes the government's own decisions to keep information from companies and the public that could help secure networks, systems, and critical data -- as part of a hidden offensive strategy or otherwise.”
But this is either a disingenuous argument, or a severely flawed one. Here’s why the EFF’s statements don’t hold up:
- Regulation in this area is intensely harmful to security research. Germany has already put laws in place to restrict what kinds of information can be discussed with regards to computer security, and what tools can be installed on German computers. This resulted in a severe voluntary clamp down of security research in Germany as no researcher wanted to be first to be prosecuted.
- There are no clear definitions of vulnerability or exploit. The EFF would have you believe that there is some way to say that a piece of software is “dangerous” or not. Nothing could be further from the truth. Any attempt at regulation in this area simply adds an unreasonable regulatory burden to every company writing software. I hesitate to guess how any legal weapons in this area will be used by lawyers - certainly they will not be used to increase Internet freedoms. It is technically naive to think there is any clear way to move forward on legal language that will do less harm than good here. The EFF used to have a strong technical, scientific and mathematical base that directed their advocacy. Clearly this base has withered, to be replaced only by a fear of the unknown.
- The government would not be the ones being restricted. Is it realistic that the federal government would forbid itself from participating in 0day transactions, but allow the trade in general? That’s highly unlikely. There’s no way to regulate a portion of the 0day market - it’s all or nothing. That means every “exploit sale” in the US would be subject to supervision and regulation by the US government. Sound promising? The practical consequence of this is that much of the “legitimate” security research market in the US will shut down.
- Zero-days do not equal tools of oppression. Vulnerabilities by themselves make up the smallest part of a “cyber-weapon” like Stuxnet, Duqu, Flame, Mahdi, etc. So this risk is a bit overstated. In reality, cyber tools of oppression are most often in the form of databases.
- The EFF cannot push for this kind of vulnerability regulation and still stand for digital freedom. Attempting to “secure the Internet” is the kind of windmill tilting previously reserved for other organizations. Our society also faces challenges unique to our time - a time in which the government can track every citizen’s physical location via their cell phone, recover their Facebook postings with only the lightest legal pressure, and store database upon database of their private information without any citizen’s recourse. Not to mention that 18-year old hackers are facing jail times equivalent to that of a serial killer. Who is to be their voice, if the EFF has lost its way?
In some senses, Internet advocacy is, like the Internet itself, a binary thing. You can be a voice for a perfectly secure Internet, regulated and surveilled, as safe as a kindergarten playroom. Or you can be a voice for messy and chaotic liberty - for a citizen’s personal privacy in an electronic world. You cannot do both, and I do not think the EFF knows which it is doing anymore.