Terms used to describe concepts in modern intellectual property issues are borrowed from all over the place. One example is "pirate" - a generic term for someone who is stealing intellectual property, or running botnets, or doing something else illegal that results in them taking something that isn't theirs on the internet.
In the age of sail pirates thrived partially because the wind was free - nobody had to pay for fuel, so once they had a warship the pirates could sail around and look for ships to loot without too much additional cost, and they could flee from warships without using up irreplaceable resources. Food and other supplies (especially ammunition and gun powder) had to be paid for, but those were fairly cheap compared to how much profit could be gained from capturing a loaded merchant ship.
An interesting legal state was created that was somewhere between being a pirate and being a military war ship: the privateer. During the frequent wars between the European powers the opposing governments would provide legal cover for private vessels to raid the shipping of the opposite side, and these private vessels were called privateers. The opposing side might still consider them pirates, but they had legal authority provided by one of the governments to go raid and sink the opponents shipping.
Today we have criminals using the free (or nearly free) nature of the internet to prey on commerce and unsuspecting internet users, often via botnets - machines owned by others that have been secretly compromised and taken over by the pirates. Operating these machines is almost free - somebody else pays for the hardware, power, and internet connection - so various illegal schemes can be mounted using them to defraud and steal from honest users, and even with a fairly small per-compromised-computer payoff the pirates can end up making plenty of money by building sufficiently large botnets.
Our legal system so far appears to be failing to deal with this in any meaningful way, and the costs are increasing, which threatens our business models and future profits. So how are we ever going to take the botnets down? Maybe it's time for privateers to do our dirty work for us.
I noticed a post on cnet titled "With legal nod, Microsoft ambushes Waledac botnet" that looks like the closest thing to a privateer in action that I've seen. The Waledac botnet used infected computers all over the world to send 1.5 billion spam messages a day, with Microsoft's Hotmail service receiving more than 30 million daily. This is costly to Microsoft and also leads to customer dissatisfaction, so they wanted it stopped.
No single government is in a postion to take the whole botnet down, and arguably Microsoft couldn't just go and mess with it without some legal cover. They got a judge (I assume a US Federal judge, but the article doesn't say) to issue an ex parte temporary restraining order which gave them legal cover. Ex parte means "without notifying the other side" which was required so that the botnet operators didn't quickly change domains before the cannons were fired - I mean before the domains Waledac was using were disabled.
With the top level domains disabled the operators lost touch with most of their botnet, and Microsoft is now following up with security organizations to disable the peer to peer communications used by the system as well. While Microsoft didn't seize any pirate vessels or loot anything, they did remove an ongoing issue, saving themselves some money directly and helping improve their customer satisfaction while they are at it. In the process they helped us all by taking these resources away from the pirates.
Large corporations have the motive, resources, and scope to deal with these issues in a way that public law enforcement agencies currently have a hard time matching. I wonder if this is going to turn out to be the future of law enforcement when it comes to botnets and pirates? Private law enforcement has its issues - corporate self interest isn't reliably aligned with the public interest - but it sure is better than the nothing we currently have as an alternative.
The next step in becoming even more like the historic privateers: getting permission to break the law when going after pirates. If a corporation needs to reverse engineer encryption to take down a botnet they run into the DMCA in the US: reverse engineering encryption is currently illegal in the US (OK, I'm no expert, so perhaps there's an exception for this, but I'm not currently aware of one). To really take out the pirates we'll have to consider granting a license to break the normal rules to private organizations so that they can reverse engineer cryptography, use phishing schemes, DDoS, and violations of privacy laws in attacks against the pirate operators, break into their systems remotely and so on, and pretty much all of these actions are currently against the law. I haven't heard even a hint of movement in this direction yet, but I won't be surprised if it occurs.
This could get especially interesting in situations like the Google being hacked from China situation. China has clearly stated they are not involved in the hacking; if we allow privateers to hack into the operator's machines remotely and disable them, or implant spyware and interfere with botnet operation, and it turns out that some government really was behind it, we'll have recreated just about the whole privateer situation. Again, I have no idea if something like this will ever come to pass, and perhaps no governments are involved in hacking and operating botnets, but it is interesting to think about the issues and the possible consequences. At least it's interesting to me, anyway.
No comments:
Post a Comment