Are computer viruses a form of free speech?
I just noticed this now -- over at Boing Boing, Cory Doctorow wrote an incredibly nice comment on my piece about virus writers! He goes on to offer a interesting critique of the piece based on a particular issue it raises: Whether computer code is protected as free speech. As Cory wrote:
Clive touches on, and dismisses the free-speech arguments for publishing malware code (interestingly, he does so without any quotes from legal scholars and impact litigators who work on First Amendment issues, and so ends up eliding the nuance in the argument and presenting a somewhat blunted picture of the issue) and only lightly touches on the far more important notion of legitimate security research.
If, as Schneier says, "Any person can create a security system so clever s/he can't think of a way to defeat it," then the only experimental methodology for evaluating the relative security of a system is publishing its details and inviting proof of its flaws -- proof readily embodied in malware.
Codebreakers and worm-writers are the only mechanism we know about for reliably strengthening systems, and the idea that they should refrain from publishing their research in order to keep us safe is fundamentally flawed, since it depends on the idea that malicious people will never be clever enough to independently reproduce their techniques, and that the public is better served by remaining ignorant of the potential risks in the systems they've bought than by being exposed to the evidence of the rampant flaws in those systems.
This notion falls flat when considered in light of the real world. If a developer was building condos whose doors could all be unlocked with an unbent paper-clip, this line of reasoning demands that the person(s) who discover this should keep mum about it, in the hopes that no bad guy ever catches on. In the real world, the best answer is usually to scream about this to high heaven, so that the bad developer can't silence you and cover his ass, and so that his customers can get their locks fixed.
This is an excellent debate. But I don't think my article dismisses the free-speech argument. Indeed, quite the opposite -- it explicitly states that code is a form of speech. As I wrote ...
... in most countries, writing viruses is not illegal. Indeed, in the United States some legal scholars argue that it is protected as free speech. Software is a type of language, and writing a program is akin to writing a recipe for beef stew. It is merely a bunch of instructions for the computer to follow, in the same way that a recipe is a set of instructions for a cook to follow.
Cory's quite right that I didn't actually quote any legal scholars or free-speech experts in the piece, though I certainly have interviewed plenty of them on this issue (including, back when I was writing about the DeCSS trial, the insanely brilliant Dave Touretzky).
I think Cory may be confusing my discussion of the ethics of virus writing with the right to compose malware. My article points out that the ethics of virus-writing are considered, by many, to be somewhat suspect. That doesn't dismiss the point about the free-speech argument for writing computer code. Quite clearly, code is a form of speech -- and for the record I would be very, very glad to see it thusly protected! (Not the least because, while being myself only a very crappy and very occasional programmer of the lamest computer languages in existence, I find programming a superbly intellectual endeavour.)
But just because one has a right to do something does not mean it's ethical to do it. (And vice versa -- there are, sadly, plenty of people in jail for things that were against the law but were not even vaguely unethical, including much civil disobedience.) Rights and ethics are very different things. What my article was in part trying to explore were the complex ethics of virus writing.
As Cory pointed out, one can also make a good ethical case in favor of virus writing. I, too, pointed out the argument:
Indeed, a number of them say they are making the world a better place, because they openly expose the weaknesses of computer systems. When Philet0ast3r or Mario or Mathieson finishes a new virus, they say, they will immediately e-mail a copy of it to antivirus companies. That way, they explained, the companies can program their software to recognize and delete the virus should some script kiddie ever release it into the wild. This is further proof that they mean no harm with their hobby, as Mathieson pointed out. On the contrary, he said, their virus-writing strengthens the ''immune system'' of the Internet.
Having said that, it is true that I presented the devil's-advocate side: That widely publishing your virus code can fall into an ethical grey area. That's because viruses behave in ways rather different from other types of code. Cory quotes Schneider to point out a well-known security fact: That one good way to improve the security of a computer system is for smart outsiders to examine it carefully and discover its weaknesses. That's why open-source code like Linux is so stable; tens of thousands of smart geeks have looked at the code and immediately publicized any weaknesses they find. That's also why smart goverment agencies and companies hire tiger teams to try and break into their own systems. It's a great way to probe your own vulnerabilities.
Viruses and worms are a bit different, though, I think. Attempting a series of hack-attacks on a particular system to try and uncover its weaknesses is a stable, controlled experiment. You can run the experiment in such a way that you don't actually hurt anyone. But when viruses and worms are released, they're inherently uncontrolled. They interact with thousands of unknown computer systems with unknown configurations; there's simply no way to fully predict what's going to happen. They might be harmless. Or they might screw up the 911 system in a city, as Slammer did. There are plenty of ways to test a system with a single hack attack. You can prove that backdoor exists by invading it on a single machine; no harm done. But there is no way to definitively prove a virus would spread the way you think it would without releasing it -- and that's an inherently chaotic endeavor.
Yet I still don't think one should be prohibited from writing worm and virus code -- because as Cory says, the code can be a good way to show, on paper, that a vulnerability exists that ought to be patched. The grey area is: How to publish the findings? If you put the full code to your worm up online, you can be pretty certain someone will release it. And though publishing may indeed be your legal right, in this context, it's also an ethical decision. Are there other ways to inform the world about a worm-related vulnerability you've discovered? Publish only the most relevant parts of the code? That might not be a bad idea, since script kiddies won't be able to write the rest of the code necessary to get the worm up and running; a smart security official, however, could look at those few lines of worm code and immediately grok the vulnerability they need to patch.
The counterargument would be that "software companies drag their heels -- nobody would ever really fix a vulnerability until they've had it literally slammed in their faces. You have show the full worm code -- hell, it probably has to be released in the wild -- before they'll really take it seriously." Fair enough. The vulnerability that the Slammer worm exploited had been known for months; people only got serious about patching it once they'd seen how much damage a worm could do. And, once again, one ought indeed to have the free-speech right to publish a worm. But I don't think exculpates you from the ethical aspects of the debate. Rights are clean and simple; ethics are super-messy.
Since Cory opened his posting about my article with an incredibly nice compliment about my writing, I'm going to close with one about his: Readers! If you are still with me here, DO NOT WALK but RUN to the nearest bookstore and get a copy of Cory's latest novel, Eastern Standard Tribe. He is easily one of the most talented science fiction writers I've ever encountered, and my shelves are groaning with the stuff. (His last novel Down and Out in the Magic Kingdom fried my noodle and inspired a zillion interesting conversations about the future of the reputation economy.) Go. Now!
Posted by Clive Thompson at February 11, 2004 10:07 PM
Trackback Pings
TrackBack URL for this entry: http://www.collisiondetection.net/mt3/mt-tb.cgi/739
Listed below are links to weblogs that reference Are computer viruses a form of free speech?:
what a strange world we live in when things like money and viruses exist as forms of free speech. so, malware may be speech, but probably the type that gets hung up on the “clear and present danger” restriction to free speech (first articulated in 1919 by justice holmes, in Schenk v. United States). that decision abridges first amendment rights by arguing for a sensitivity to context and possible dangerous effects of speech. that's where holmes made the famous “yelling fire in a crowded theater” analogy. the doctrine’s mostly been used during wartime to squash the speech of bolshies, commies, and similar “seditionists“, in contexts/conditions very similar to the ones we‘re experiencing today. the test has waxed and waned in strength , but the current state of the state reads something like: “a state may not prohibit advocacy of the use of force or violation of the law except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite...such actions." so the question is: are viruses inherently designed to produce or incite lawless action?
and yet ... one can simply go, say, to the public newsgroup alt.engr.explosives and pick up a recipe for one’s favorite ANFO explosive - er, “for academic use only” the loompanics publishing outfit has thrived in this little gray area for years. information just wants to be free.
Posted by: chris at February 11, 2004 11:36 PM
It's really a great piece, Clive. I was reading it last night on the train home. You've got a knack for narrative nuances.
"Philet0ast3r's party was crammed with 20 friends who were blasting the punk band Deftones, playing cards, smoking furiously and arguing about politics. It was a Saturday night. Three girls sat on the floor, rolling another girl's hair into thick dreadlocks, the hairstyle of choice among the crowd."
It almost seemed like a short story where you educate the reader about virus-writing as part of the narrative.
I think you're right that you didn't really dismiss the 1st Am issues. There are plenty of gray shades here. Besides, your subjects were in Europe.
Posted by: greglas at February 12, 2004 10:19 AM
Thanks for the very kind words! It's definitely a damn interesting scene, filled with some incredibly smart people. And yes, part of the goal of the article was to try and show a little bit of the culture of the people who write viruses -- not just the technical side.
Good point about free-speech issues and the fact that many malware authors are overseas. The *idea* of American-style free-speech protections seems to be very powerful in the geek community, even when the coders themselves live in countries that do not have similar protections.
Posted by: Clive at February 12, 2004 11:18 AM
Clive: I just finished reading your article and heard you on NPR too. Nice work. It was an interesting read, and although I've been a programmer for nearly ten years, I didn't know much about the culture of virus authors. Running Linux kind of alleviates the concern, since very few authors even target the OS.
Posted by: dan at February 12, 2004 9:09 PM
Posted by: DOrks at October 4, 2004 10:21 AM
Posted by: texas hold em at March 18, 2005 2:11 AM
Post a comment
what a strange world we live in when things like money and viruses exist as forms of free speech. so, malware may be speech, but probably the type that gets hung up on the “clear and present danger” restriction to free speech (first articulated in 1919 by justice holmes, in Schenk v. United States). that decision abridges first amendment rights by arguing for a sensitivity to context and possible dangerous effects of speech. that's where holmes made the famous “yelling fire in a crowded theater” analogy. the doctrine’s mostly been used during wartime to squash the speech of bolshies, commies, and similar “seditionists“, in contexts/conditions very similar to the ones we‘re experiencing today. the test has waxed and waned in strength , but the current state of the state reads something like: “a state may not prohibit advocacy of the use of force or violation of the law except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite...such actions." so the question is: are viruses inherently designed to produce or incite lawless action?
and yet ... one can simply go, say, to the public newsgroup alt.engr.explosives and pick up a recipe for one’s favorite ANFO explosive - er, “for academic use only” the loompanics publishing outfit has thrived in this little gray area for years. information just wants to be free.
Posted by: chris at February 11, 2004 11:36 PM
It's really a great piece, Clive. I was reading it last night on the train home. You've got a knack for narrative nuances.
"Philet0ast3r's party was crammed with 20 friends who were blasting the punk band Deftones, playing cards, smoking furiously and arguing about politics. It was a Saturday night. Three girls sat on the floor, rolling another girl's hair into thick dreadlocks, the hairstyle of choice among the crowd."
It almost seemed like a short story where you educate the reader about virus-writing as part of the narrative.
I think you're right that you didn't really dismiss the 1st Am issues. There are plenty of gray shades here. Besides, your subjects were in Europe.
Posted by: greglas at February 12, 2004 10:19 AM
Thanks for the very kind words! It's definitely a damn interesting scene, filled with some incredibly smart people. And yes, part of the goal of the article was to try and show a little bit of the culture of the people who write viruses -- not just the technical side.
Good point about free-speech issues and the fact that many malware authors are overseas. The *idea* of American-style free-speech protections seems to be very powerful in the geek community, even when the coders themselves live in countries that do not have similar protections.
Posted by: Clive at February 12, 2004 11:18 AM
Clive: I just finished reading your article and heard you on NPR too. Nice work. It was an interesting read, and although I've been a programmer for nearly ten years, I didn't know much about the culture of virus authors. Running Linux kind of alleviates the concern, since very few authors even target the OS.
Posted by: dan at February 12, 2004 9:09 PM
COOl Beans
Posted by: DOrks at October 4, 2004 10:21 AM
You can also check the pages about party poker party poker http://party-poker.vpshs.com/ online poker online poker http://online-poker.fearcrow.com/ texas hold em texas hold em http://texas-hold-em.fearcrow.com/ texas holdem texas holdem http://texas-holdem.vpshs.com/ poker games poker games http://poker-games.vpshs.com/ free texas hold em free texas hold em http://free-texas-hold-em.vpshs.com/ how to play poker how to play poker http://how-to-play-poker.vpshs.com/ poker online poker online http://poker-online.vpshs.com/ texas holdem poker texas holdem poker http://texas-holdem-poker.vpshs.com/ pacific poker pacific poker http://pacific-poker.vpshs.com/ poker poker http://poker.fearcrow.com/ texas holdem texas holdem http://texas-holdem.fearcrow.com/ poker rules poker rules http://poker-rules.fearcrow.com/ poker hands poker hands http://poker-hands.fearcrow.com/ world series of poker world series of poker http://world-series-of-poker.fearcrow.com/ free online poker free online poker http://free-online-poker.fearcrow.com/ world poker tour world poker tour http://www.fearcrow.com/ party poker party poker http://party-poker.fearcrow.com/ poker games poker games http://poker-games.fearcrow.com/ free texas hold em free texas hold em http://free-texas-hold-em.fearcrow.com/ how to play poker how to play poker http://how-to-play-poker.fearcrow.com/ poker online poker online http://poker-online.fearcrow.com/ texas holdem poker texas holdem poker http://texas-holdem-poker.fearcrow.com/ wsop wsop http://wsop.fearcrow.com/ pacific poker pacific poker http://pacific-poker.fearcrow.com/ empire poker empire poker http://empire-poker.vpshs.com/ world poker tour world poker tour http://www.vpshs.com/ free online poker free online poker http://free-online-poker.vpshs.com/ world series of poker world series of poker http://world-series-of-poker.vpshs.com/ free poker free poker http://free-poker.vpshs.com/ poker hands poker hands http://poker-hands.vpshs.com/ texas hold em texas hold em http://texas-hold-em.vpshs.com/ poker tables poker tables http://poker-tables.vpshs.com/ poker rules poker rules http://poker-rules.vpshs.com/ poker poker http://poker.vpshs.com/ ...
Posted by: texas hold em at March 18, 2005 2:11 AM