Wednesday, October 12, 2011

Blog

Verisign's Internet security powers may be stretching too far

By James M. Connolly

I’m not one of those people who live in fear of Big Brother. Some would think me naive because I don’t worry that the National Security Agency is monitoring my emails and texts. Maybe it’s because my most exciting transmissions are entries wishing my kids a great day, or queries like, “Did you feed the dog?” I don’t even fret that all those building-mounted cameras in downtown Boston are keeping track of my comings and goings. “That’s right, NSA, I went to Al’s Subs twice this week!”

Yet, sometimes there are ideas coming out of government and big business that feel a little creepy. So it is with word out of computer security and authentication company Verisign that it is suggesting it be able to immediately shut down websites that violate Verisign’s policies, not only on court orders but even on the simple request of law enforcement. Verisign made the proposal to the Internet Corporation for Assigned Names and Numbers (ICANN).

Verisign told ICANN that it should be empowered to quickly take down sites that harbor malware, launch phishing attacks, or otherwise are used to launch attacks or might make Verisign liable to someone, according to published reports.

That’s fine, we want to be protected from web evil doers, not only those who launch cyber attacks but also those who use websites as a vehicle for serious crimes or fraud. However, aren’t we forgetting about due process?

Verisign’s proposal doesn’t lay out plans for website owners to have their side heard. For example, suppose Verisign’s scanning service spots malware on a site that is actually a victim of an attack. The security company should be offering help to the site owner, not blindly shutting them down.

Still more frightening is the angle where Verisign would shut down a site on the request of law enforcement. There’s no argument here about shutting down a site after a lawsuit or criminal action has been adjudicated, even if the action is only a temporary restraining order. However, there has to be some level of review. Angry cop who can’t get the goods on a business owner? Federal agency doesn’t like the politics of a community group like Occupy Boston? A prosecutor trying to make hay in an election year? Those are very real possibilities, and not far from things that have happened in real life. Sorry, Verisign, you can’t be shutting people down on the whims of “law enforcement,” particularly if the conversations are coming in through back channels. Put some real structure to this proposal, and then we can talk.