News & Politics

Shut Up

Smart geeks are being harassed or bribed into silence by major corporations all the time.
It's always the same story. Some smart geek is poking around in the routers or software or other gizmos made by a major corporation and discovers that -- surprise -- consumers are getting screwed because said corporation hasn't bothered to make its products secure against bad guys who want to steal your data and make the Internet go boom. Then the smart geek goes to the big corporation and says, "Hey, I found this dangerous vulnerability in the software you run on your routers, and I want to help you fix it."

The big company freaks out and agrees to work on a fix with the smart geek. Weeks go by. The fix is built, but deploying it on the thousands of routers running this company's software is onerous at best. Nevertheless, the company agrees to let the public know about the flaw -- it's practically a matter of national security, since its products are part of the basic structure of the Internet at this point. So the smart geek and the big corporation agree that the geek will present a paper about the vulnerability at a major computer security convention in a very hot Western state known for its lax gambling laws.

And then, wouldn't you know it, the company gets cold feet. Very cold. It tells the geek he'd better not present that paper after all. It threatens him with a lawsuit. Then his own employer threatens him too, because it doesn't want the big company mad at it. Finally, after the smart geek delivers the paper, the big company settles on a temporary restraining order against him that results in several people spending several hours ripping the notes on his presentation out of the program books for the conference. This process is filmed by other geeks, who immediately put it up on various file-sharing networks. The smart geek's talk is distributed in the same way. Eventually he's invited to Washington, DC, to help advise government agencies on how to defend against this fatal vulnerability.

By now you've probably figured out I'm not just telling you a story about a composite person. The smart geek is Michael Lynn; the big company is Cisco Systems, one of the world's largest manufacturers of computer network hardware and software; and the conference is Black Hat, in Las Vegas. But Lynn's story might as well be a generic one. This kind of thing happens all the time in the security world -- it just doesn't get leaked at major conferences and written up in the Washington Post. (OK, it was the Washington Post blog, but still!) And not every geek is as ethical as Lynn was. Smart geeks are being harassed or bribed into silence by major corporations all the time.

Imagine if a phone company was suing people who told the public that they'd discovered it was easy for eavesdroppers to overhear everybody's conversations. That's essentially what Cisco did. Their routers are as crucial to the global communications infrastructure as the telephone network is.

Now let's imagine even creepier things about the communications infrastructure. Let's say, for example, that a local post office in the United States decided it wasn't going to deliver your postcards anymore because they didn't conform to its arbitrary policies about what kind of mail is appropriate.

If you consider that Internet service providers are basically digital post offices for our e-mail, you'll find that this exact sort of capricious refusal to deliver mail is going on all over the country without check. This came to light recently in a court case against the University of Texas, whose campus ISP refused to deliver mail advertising a dating service. There was nothing illegal about the mail -- it wasn't spam, at least according to the federal definition in the CAN-SPAM law. It was just advertising. The advertiser sued the university under the First Amendment for refusing to deliver its mail and lost because advertising gets very little protection under the First Amendment. The upshot? It's legal for ISPs to block your e-mail whenever they want, even if the mail isn't illegal.

I'm not playing a sad violin for the advertisers, but I am pissed off on behalf of everybody else whose legal e-mail is being blocked for other reasons and who now has even less recourse under the law. Shouldn't ISPs have an obligation to deliver all mail that's legal, even if they don't like what's in it? I mean, the post office faithfully delivers my junk mail along with all the letters I want to read. And I pay my ISP more than I pay the post office, by far.

Annalee Newitz is a surly media nerd who is going back to the can-and-string infrastructure.