Michigan First With A Law That Could Outlaw VPNs

zaren writes "Holy frell, Taco, we're gonna be criminals! I was checking out Freedom to Tinker after reading the posting about that multi-state anti-VPN-style legislation, and I saw a new posting that says that Michigan has ALREADY passed such legislation, and it goes into effect on MONDAY, MARCH 31, 2003 . Guess I better tighten down the base station and batten down the hatches..."

What were they thinking???

[Tuxinatorium]

(b) Conceal the existence or place of origin or destination of any telecommunications service. What were legislators smoking when they wrote that clause? That's so ridiculously overbroad that it could even be interpreted to make it illegal to call someone from a payphone without telling them where you are.

Re:Phone extenders

[pyrote]

this would also make calling cards illegal, since every time I get a call from one it comes from texas, not nevada where the call originates.

Internet Made Illegal

[Highwayman]

This is ridiculous. In a broad sense, this would outlaw an PPP connection that assigns an ISP customer a different IP address with every session. Not only that but the nature of such legislation would outlaw virtual domains using Apache and could be applied to the way the Internet has come to work in a limited IP space. I mean, in order to find out who is who on a shared IP web server, you would have to have access to the configuration files.

With so many domains sharing IP addresses or having IP addresses provided by big companies such as HE there is an amount of obfuscation built in to the DNS system to allow flexibility on the host side. Can't they get busy with spam legislation instead?

What a strange world

[Subcarrier]

(b) Conceal the existence or place of origin or destination of any telecommunications service.

Apparently it is legal to have a concealed weapon, but having a concealed cell phone or disabling caller ID violates the law.

Liability (i.e., Cisco as pimp)

[Epesh]

So the companies that make firewalls, routers and switches are going to be indicted in MI? I mean, hey - they're the primary enablers here. If they didn't sell routers, people would have a much greater barrier to creating VPNs, thus those companies are really the guilty ones, exploiting the businesses that provide carrier service. Besides, they've much deeper pockets. We're talking Cisco here, after all. Down with them! They're the criminals here, with the role of pimp; the poor people using VPNs are simply the buyers.

Re:Also with effect 31 March...

[October_30th]

Why marry?

I see no benefits but only complications in the institution of marriage. Legally, it makes it harder to break up and discourages people to do so even when kids and their own mental health would actually benefit from it. Psychologically it is even more offensive: a sort of proof of ownership.

Originally marriage meant that the wife became husband's property (instead of her father's, that is), but I guess these days it stipulates that the husband is wife's property too.

I find this really offensive. I don't want my significant one to stick around just because there is a band of metal around one of her fingers. She's not my property and I'm not hers. She's free to do whatever she wants. If she decides to walk out on me, I have nothing to say about it and vice versa.

The network is the computer

[Anonymous Coward]

Here I sit using at least two computers simultaneously for the simple reason that they both do different jobs. In my house there are four devices capable of being connected to my network hub and that in turn connects to the cable modem I have. Given that it is just me using all these at the same time why would it make sense to charge me for each computer? There's just me. Now, if I set up a dial up so that other users can run off my cable then yes that is bad and a law that said I could not resell the service I have bought would be perfectly reasonable, but this is my house, my connection and they are my machines. I pay for a fat(ish) pipe to the outside world. Does the water company charge me more because I have more sinks than my next door neighbour? They may charge me more if I use more water but having more sinks doesn't matter, it is the flow that matters. Same should be true with a network. I am happy to have a capped bandwidth (500Kbs) because I am paying a flat rate for that. However, the four computers I have can't get more data through than one on its own could so what is the problem? What happens if I want to play around with a beowulf cluster? Are they going to outlaw clusters unless you can get some special exemption? You certainly wouldn't want to have to get an IP address for every machine in a big cluster. Oh, and what about the company providing the connection, are they going to ensure that if I have to pay for individual connections for each machine they will still protect me from all the twits who probe my system on a daily basis and do a better job than I can myself with my gateway? This bill is only going to benefit the money grabbing service providers and those idiots who love to try to root machines.

IMHO of course :-)

Re:Also with effect 31 March...

[Jah-Wren Ryel]

The point is not whether it would stand up in court, the point is that it is a form of legalized harrassment. If the cops, or anyone else in the law enforcement power structure, doesn't like you for any reason valid or not, they have just one more tool to fuck you over with impunity.

Sometimes just calling you a terrorist is more trouble than its worth, probably gets the FBI and the Dept of the Fatherland involved which might actually question a few too many baseless accusations. This law just keeps their options open.

Re:s/u FO/users

[gl4ss]

you see, when you are buying access, they are billing for you for it but not really ready to let you use all the bandwith they sold you, it's like an all-you-can-eat resteurant that will kick you out after you've eaten 6 pizzas. and if you are crypting the transfers they can't just be bad boys on the block and eavesdrop and then say that you are bad warezor shuu shuu go away.

now, i'm perfectly happy with this kind of arrangment at my current place of living (student foundation provided) and the net access they give (100mbit, minimal fee, and no, it's not really paid from outrageous university fees, because here we pay around 120e per year to attend to it) and the fact that i can't use all the bandwith from it all the time if i don't wanna get disconnected. but i perfectly knew this when i signed up, and i would be fiercely pissed off if i paid good $$$ for connection and didn't get what i paid for and especially if i was told that crypting the transfers was a no-no(you could just as well be mailing all your mail in transparent envelopes.. which the postal office might actually like?).

the law sounds just as ridiculous as the law that was in greek to forbid videogames.. all the bad things it would outlaw are things that should be already covered by other laws(fraud & etc).

This applies to UNLAWFUL devices

[ShinmaWa]

Most of you are missing a key phrase in the legislation. The part most people are leaving out is: A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device....

Now, what is an "unlawful telecommunications access device"? That is answered under 750.219a which is entitled:

750.219a Obtaining telecommunications services

with intent to avoid charge; violation; separate incidents pursuant to scheme or course of conduct; enhanced sentence based on prior convictions; definition.

Section 219 defines an unlawful device as:

(a) A telecommunications access device without the authority or consent of the subscriber or lawful holder of that telecommunications access device.

I read this to mean to hijack someone else's "telecommunication device".

(b) A counterfeit telecommunications access device.

If you read the section further, this applies to illegal cable descramblers and stuff like that.

(c) A fraudulent or deceptive scheme, pretense, method, or conspiracy, or any device or other means, including, but not limited to, any of the following:
(i) Using a false, altered, or stolen identification.
(ii) The use of a telecommunications access device to violate this section by a person other than the subscriber or lawful holder of the telecommunications access device pursuant to an exchange of anything of value to the subscriber or lawful holder to allow that unlawful use of the telecommunications access device.

I think we can all agree that FRAUD is bad.

badly drafted law?

[Andy_R]

There may be a get-out here - if the parent post is giving the exact wording, it is the origin or destination of the *service*, not the telecommunication itself that can't be concealed. This means you can conceal your cell phone, but you can't conceal which teleco you bought it from.

Are we all reading the same law?

[hoggy]

I fail to see anything in this amendment that applies to VPNs. It appears to be specifically designed to target phone phreaking. It's all about screwing with telecoms services. VPNs don't do that.

They don't obtain telecoms services without intent to pay (1a), they don't conceal the origin or destination of the traffic (1b), and they don't intercept, disrupt, re-transmit, or otherwise fuck with your, or anyone else's, service (1c).

Unless you've deliberately cracked your ISP in order to run your VPN, you've not fallen foul of this law.

Get some perspective.

[Interestingly, this does appear to make IP address spoofing illegal - but I consider that to be a good thing.]

Re:What were they thinking???

[Martin Blank]

Text of the e-mail I just sent to the Michigan AG's office:

***
Subject: Questions on Michigan law, section 750.540c.amended

This new law, due to take effect on Monday, Mar 31, 2003 (likely the day this is read) has brought some concern to those of us who are technically minded. The main issue stems from this portion:

(1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following: ...
(b) Conceal the existence or place of origin or destination of any telecommunications service.

This would seem to make illegal any hardware and software designed to make use of such technologies as NAT (Network Address Translation), which is used to allow multiple computers or other devices to access a single connection to the Internet. Specifically, the ISP will see only the information about the router, which, as a consequence of the technology, blocks any information about the original computer sending the transmission.

Another portion reads thusly:

(2) A person shall not modify, alter, program, or reprogram a telecommunications access device for the purposes described in subsection (1).

This would seem to make illegal a feature on many routers that allows a device on the outside of the private network to see a MAC address that is not the true address of the router, but rather one that matches a network card of a computer behind the router. This allows the router to be used in cases where an ISP uses the MAC address as a security feature to prevent unauthorized access to its network. It would seem that use of this feature could be combined with the above concern to result in a doubling of the penalty.

Because of the popularity of these technologies, my reading of the law would make many Michigan residents into potential criminals, and could unfairly force them into paying more for additional connections to their ISP if the ISP chooses to forbid NATs and then proceed to systematically hunt down those that would use NATs.

Is this understanding of the law as written correct in letter if not in spirit? Can you provide any information on how the Attorney General's office plans to advise the various district attorneys on conditions under which violations of this law should be pursued? For example, could an ISP demand criminal charges be brought against someone who has used NAT technologies on its network? There is a large technical community that is now worried about this.

Thank you for your time.
***

I will post any response I get from them.

Re:What were they thinking???

[gnp]

Reading section 219a.amended for the definition of telecommunications services makes me think that this doesn't prevent VPNs. I think the telecom service providers cannot conceal their physical link ends, but I don't see where anyone using those links to operate a VPN is required to do anything special...

Human stupidity is to blame

[October_30th]

This will not be the end of the world.

All the problems you list are due to human stupidity. Even SARS. The patient zero was somewhere in China and the local politicians failed to take action in fear of falling into disfavour. More concentrated stupidity can be found in the form of Kim Jong Il, GWB, Chirac and other politicians worldwide.

Now, there is an excellent record of 6000 years of human stupidity that we call history. In fact, human stupidity most likely extends even beyond the written records and if we go really far back in time we arrive at the point when "human race" was just a little more advanced kind of an ape. And we definitely can agree that by human standards apes are pretty dim, aren't they?

So, in conclusion, most of the recent events can be blamed on stupidity and since the massive human stupidity in the past has not brought on the end of the world ago it won't do so this time either. So, don't worry.

you got it

[zogger]

You got it. You need to read this legislation in the light of all the other legislation out there, signed into law or proposed. A Police State needs for everyone to be a criminal on paper, to have that potential,to be able to use that against them. Look at oregons proposed policial demonstration law. Walk in the street in a demonstration, you are facing 25 years to life. Use a normal router, with how it normally works, you are a criminal. Go into patriot act 1 and now 2, which they are migrating to different other bills to get it passed. Misdemeanors can be classed as supporting terrorism. You really don't want to be classed as a terrorist. You can become an un-person very quickly, and it wouldn't be in there if they weren't planning on using it, even more extensively than they are now. The gestalt with computers in general is that computers allow anonymous and semi anonymous and easy communications for the average person. Police States don't like that.

This is REAL stuff in all our faces. You can't keep up with it now,laws, laws,laws and more new laws, daily. It's at the federal level and all the state levels, assaults against born-with rights, just being a normal person, are fully underway, it's not theoretical or tin foil hat. This article is an example of just another one. Add 'em all up. Pretty spooky.

Thanks for sending that letter, looking forward to see what they say, if you get a credible response.

Re:What were they thinking???

[JWhitlock]

You forgot one important fact:

Most Michigan businesses (and probably most government offices) use NAT or proxy servers for their internet connections. I believe a zealous prosecutor could interpret proxy servers as hiding the specifics of the computer that is making the requests for connections.

Thus, just about every person with internet access at work is breaking Michigan law, under one interpretation. Including the AG that you are emailing.

As long as you are sending long and technical emails to the AG, why not ask if a spammer who fakes his headers is breaking the law...

Can't afford to not be concerned

[sacrilicious]

You, and the rest of [the readers I respect here], need to do better than highlighting some piece of legislation to make your point. It is plainly obvious to me that NAT, VPN, SSL, SSH, HTTP proxies or any of the other mechanisms you folks claim will be made illegal by this law are simply not. But have your fun. It's what you're all about...

Once the DMCA passed it became obvious that law makers actually ARE perpetrating the insane. Rights are destroyed when people hear about it happening and just hit the snooze button. It's happening right now.

Re:What were they thinking???

[FeloniousPunk]

Most Michigan businesses (and probably most government offices) use NAT or proxy servers for their internet connections. I believe a zealous prosecutor could interpret proxy servers as hiding the specifics of the computer that is making the requests for connections.
Yep. And "most government offices" includes Federal government, like say the Department of the Navy, for whom I'm contracting. We routinely use VPN and NAT; in fact we need VPN for personnel on travel to connect to our network and do certain mission essential tasks. I can only imagine the scene when some state AG and the ISP he's working for decides to take down the Navy.
You know that neither the legislators nor the AGs have any clue what VPNs are or what NAT is, which is why they agree to this crap in the first place. These lawmakers and lawyers are the typical sort of people who hardly know where to begin when turning on their PCs yet they are making laws governing technology they know nothing about. Telcos/ISPs just shove a proposal under their noses, tell them it'll be good for the state, and they sign and try to pass it.
I was thinking about this last night before bed and I thought, "Well, it'll get appealed and some judge will finally shoot the damn thing down once it comes out just how ignorant this legislation is," which I think will probably happen, but that is problematic in its own right. Legislatures firing off ill-considered laws only to have those laws thrown out in judicial review is a phenomenon that is becoming more and more common. The net result of this is that the democratic process is delegitimized thanks to incompetent legislators and people come to rely on unelected wise men to see that society still functions. I don't think that legislators take their jobs seriously anymore - they just try to see what the courts will let them get away with.

Re:Appropriate Ayn Rand quote

[Dyolf Knip]

Shit, man, I'm 23 and have no criminal record, but I had no trouble thinking up 4 'felonies' that I've committed.

It's unenforceable...

[KC7GR]

As I read it, and as others have pointed out, the new law makes an instant criminal out of (probably) 95%+ of the DSL and cable DSU users in the affected state. Anyone who uses a NAT-capable device (myself included) could be in a most uncomfortable position due to crap like this.

That's the bad news. The good news is that, given the sheer volume of people that already have NAT-type hookups, I don't see how this can possibly be effectively enforced. Even if the affected states try to make an example out of a few folks, it'll probably get appealed until doomsday.

I predict widespread 'civil disobedience' at first, followed by an effective court challenge that will overturn such legislative lunacy.

Re:Also with effect 31 March...

[ces]

Please don't confuse marrage as recognised by the state with commitment or lack therof on the part of a couple.

I know people who are married in every sense of the word (including holding a wedding) who happen to lack a marrage license. In one case the couple didn't want the tax hit, credit entanglement, or to deal with community property issues; in another the couple happens to be two men and thus cannot get a legal marrage.

On the other hand I know people who seem to marry everyone they date for more than a month or two. Typically they get a divorce within a year or so. Divorce is VERY easy in most states these days if there are no substantial assets or children involved.

Wait a minute! I live in michigan...

[dosh8er]

And if i was not a slashdot reader, I would not know about this law! The typical lets-not-tell-them-so-they-will-be-screwed-when-we -catch-them mentality. Anyway, I thought that this link [slashdot.org] might be a good place for fellow Michigan slashdotters to look at. Remember the article on counting machines behind a NAT ? Well, at least counter-inteligence would be less likely to suspect you/me/user as a mulit-machine law breaker. I guess I really don't care, now do I? Come and find me if you really care that much!

Proof!

[fm6]

Ok, unless I'm missing something here (and I could be), how are they going to prove someone is using a VPN or firewall?

Easy. Seize the computer that contains the illegal software [secretservice.gov]. Which is actually an end in itself [sjgames.com].

Re:What were they thinking???

[dpilot]

I'm sure the legislators never meant this to have an effect on business, only citizens. No doubt there'll be ammendments to allow business to use NAT and proxy.

I suspect that people are also being overly literal in their interpretation of this. Even if I run NAT or proxy at home, it doesn't disguise the fact that the traffic came from my network. It only hides my internal details, but not my ultimate responsibility.

Still, even by my more relaxed definition, VPN and any anonymizers would be problems.