Some comments on Scheier's blog suggest that the new amendment to the existing California Consumer Protection Against Computer Spyware Act (SB 1436) might actually be the work of the RIAA. Anyone know who lobbied for this bill?
The Register story, which Schneier cites, does in fact mention an infamous case where a woman defended herself by claiming a lack of security:
Tammie Marson was accused by record labels Virgin, Sony BMG, Arista, Universal and Warner Brothers of illegally sharing copyrighted music files. She argued that because anyone in the vicinity of her house could have used her connection, the record labels could not rely on the fact that her connection was used, but would have to prove that she was the one actually performing the actions.
Marson's lawyer, Seyamack Kouretchian of Coast Law Group, told OUT-LAW Radio that evidence that Marson's connection was used was not enough. "The best that they could do, the absolute best, was prove that the music was on a computer that had accessed the internet through her internet connection," he said. "You had neighbours who would have had access to her internet connection over a wireless router so it could have been anybody."
However, a little reading of the text of the amendment itself suggests that it was not a reaction to the Marson case. First of all, it was introduced by Núñez (Los Angeles) and co-authored by Leno (San Francisco). They don't seem like the type to be in the pocket of the RIAA, but anything is possible and I have not yet looked into it. Second, their intro language in the final version complains more about users who are unaware of the option of security, rather than a need to require them to use security. Could a RIAA lawyer argue that you agreed to secure your wifi when you opened the packaging? It is not clear what the warnings will say.
(b) "Encryption" means any process whereby a wireless connection to a wireless local area network (WLAN) is secured and is accessible only by the user of the wireless technology.
Encryption means secured. Clear? Note that the first draft also had a rather vague requirement:
A person or entity that sells wireless technology to a computer user in this state shall not sell that technology unless it contains encryption software or a similar encryption device, which shall be set as the default mode at the time of sale.
Eeek. That's like fingernails on the chalkboard bad. Encryption software or similar encryption device? Could someone define encryption, or at least throw in a "reasonable" in front of it for good measure. Er, imagine if you used encryption=secured — "secured software or a similar secured device"?
Anyway, not to beat a dead draft version, the final version has its own problems. For example:
Enabled security avoids this problem by preventing all but the most determined attempts to tap into a consumer's network.
Great. Enabled security sounds like a good thing. I'm a little wary of who gets to define "determined attempts" and how, but I'll leave that one alone for now. So, what's the problem it is trying to solve?
Consumers are generally unaware when an unauthorized user is using their broadband network connection
Ahem. Who gets to be the person to tell the California Senate that their solution has nothing to do with solving the problem? Neither warning labels nor encryption make users aware of unauthorized use of a wifi network. Wasn't that the goal? Sure, there is a small chance that users might be able to prevent unauthorized use if they know what to do, but if the problem is that they are unaware or otherwise unable to detect unauthorized use…I'm just saying.
So despite all the problems brought forward for consideration the solution they ultimately settled on seems to suggest little more than user education. I think it is interesting that in the final version there is no requirement for default enable on devices, just a gentle prod to be aware that security exists. At least that is how I would interpret this "advise and make them affirm" language:
(3) Provide other protection on the device that does all of the following :
(A) Advises the consumer that his or her wireless network connection may be accessible by an unauthorized user.
(B) Advises the consumer how to protect his or her wireless network connection from unauthorized access.
(C) Requires an affirmative action by the consumer prior to allowing use of the product.
I guess I am ok with that. Advising the consumer about their option for security is just plain old education (POE), although I am not convinced that this is the right way to give and incentive to companies to offer better security or make it more user friendly. Ranum and Schneier gave their positions on the effectiveness of user education here. In a nutshell, Ranum says hard-knocks and breaches are the form of education people can relate to and Schneier contends that security should be easy enough to use that people will adopt it naturally. But rather than rehash that debate the government of CA has sort of clearly said they want users to be educated.
So when you look at the amendment's solution, the real question becomes whether people are being denied the opportunity to protect their wifi (and related) security because they simply do not know about their security options. That is what the amendment appears to cover. Is this really something the government can effectively promote, especially if consumers actually want/need controls from manufacturers like real-time monitoring instead of just some legal disclaimers on a piece of packing tape?
I don't know if there is still time for revision but I would suggest they try to find a way to incent wifi device manufacturers to make security more reliable and accessible, and that does not necessarily mean direct regulations. A mere warning about the option to use a complex and faulty system (to combine the positions of Ranum and Schneier) does not generate the heat necessary to make security seem like a good trade-off to the average consumer.