This citation concerns you:

“Each Party shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors, performers or producers of phonograms in connection with exercise of their rights in and that restrict acts in respect of, their works, performances and phonograms, which are not authorized by the authors, the performers or the producers of phonograms concerned or permitted by law”.

 

Do you recognize it? If you’ve been following the recent ACTA (Anti-Counterfeiting Trade Agreement) news, and went through the agreement, you’d know that this is taken from Section 5, article 27, paragraph 5. So how does this concern you?

At a first glance, this paragraph seems to be targeted at the music industry, however the proposed agreement does not define “authors” anywhere in the document. An individual who writes software is an author, and I am therefore concerned that this might also apply to us who work in security – and if this is the case, it can actually cause a lot of problems. If the clause does exclude legal usage, meaning that reverse engineering malware – which is using obfuscation techniques might not in itself be illegal – can the same be said for the tools we depend on to do our job?

Point six states that any tool designed for the purpose of circumventing an effective technological measure, or has only a limited commercial significant purpose other than circumventing an effective technological measure, should be deemed illegal. This also appears to cover disassemblers and other similar analytical tools that are essential for the reverse engineering of malware.

I may be wrong, but if this is the case, I believe it will also be a threat for free software because if reverse engineering, or the software that is required to perform it, is deemed illegal, it would be impossible for free software to allow interoperability. Even worse, without reverse engineering we cannot have antivirus definitions and no Intrusion systems detection rules, as these also depend on malware analysis.

Since this is a treaty, and each country has to enact legislation to comply with the treaty, it is extremely hard to get clear-cut answers. Reverse engineering and disassembling have long been a big issue for developers. Console manufactures have a strong interest in ensuring that any Anti-Circumvention law will apply to consoles as well. All this adds to my concern that the treaty may have negative repercussions on the security industry and those who work in it.

I would like to hear the perspective of admins and other IT professionals who might be affected by the terms of the treaty. What are your views on the subject? Are you worried or do you think any legislation is unlikely to have an impact on your work?