IP theft commission wants to use malware to catch pirates

The Commission on the Theft of American Intellectual Property has submitted a report to the US Congress proposing anti-piracy measures and is considering the government-sanctioned use of ransomware.

According to studios and publishers, piracy constitutes a massive threat to both jobs and economies. yet, there is no good way to combat the practice — at least, not within the current scope of US law.

The use of malware is therefore what the commission, a committee formed to investigate, document and come up with ideas for fighting piracy, is considering, as spotted by Lauren Weinstein. In an 89-page report submitted to US Congress, it has detailed how "IP theft" worth "hundreds of billions of dollars per year" hurts the US economy, and proposed measures for fighting it — including the covert installation of spyware:

While not currently permitted under US law, there are increasing calls for creating a more permissive environment for active network defence that allows companies not only to stabilise a situation, but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks or even destroying the information within an unauthorised network. Additional measures go further, including photographing the hacker using his own system's camera, implanting malware in the hacker's network, or even physically disabling or destroying the hacker's own computer or network.

The report does go on to note that the commission is not recommending these measures at this point in time, as such measures have no legal precedent and could harm innocent third parties. It does, however, suggest that an assessment of the current law needs to be conducted, with law agencies given the authority to "use threat-based deterrence systems that operate at network speed against unauthorised intrusions into national security and critical infrastructure networks".

It proposes that "informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken"., It also proposed the legalised ability for companies to access a pirate's server: "without damaging the intruder's own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information."

But the idea of deploying malware is not one the commission wants to give up, noting in the paper's conclusion:

As discussed in the cyber recommendations above, if counter attacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft. These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking theses activities in the first place ... Further work and research are necessary before moving ahead.