FTDI: Is the law criminal?
The EDRi-gram has previously reported on the general silliness, if not active harmfulness to an open society, of certain copying controls that are generically referred to as Digital Rights Management (DRM). However, it’s not often that a practical example comes around that underlines the problem and at the same time has potential to demonstrate the double-standards in equally silly and potentially harmful legislation on “cyber”-crime.
FTDI is a Scottish chip manufacturer that is highly successful in the market for chips that allow easy interoperability between embedded electronics and a PC’s USB port. It felt threatened by possibly trademark-infringing competitors. In response to this perceived threat, it released an update for the Windows driver for its flagship product. The update disables any product that is FTDI-compatible, but not an exact copy.
When called out about this rather unusual behaviour, it initially defended this practice as necessary to protect its so-called intellectual property rights (IPR), but later rescinded the offending driver.
Apparently, the company felt that the already overly generous means for enforcing its rights in both national and EU legislation were not sufficient. It subsequently not only went on to disable equipment of end-users who could not possibly know whether any counterfeit chips were used in their equipment, but also to disable equipment that contained compatible chips that are quite possibly not infringing at all. There is no way that software can recognise the difference between a chip that is infringing and one that is not.
Under the terms of the Council of Europe Cybercrime Convention, “the damaging, deletion, deterioration, alteration or suppression of computer data without right” is a crime, when committed intentionally. It could be argued, therefore, that FTDI was in literal breach of this provision when it took these steps to enforce rights that were not necessarily infringed at all. This course of action meets all the criteria of article 5 of the Convention against Cybercrime. Microsoft’s involvement in was also in literal breach of the Convention distributing this driver as part of its regular updating process also raises interesting questions.
If all the hand-wringing about computer-related crimes by law enforcement were serious, we would have expected a serious investigation of FTDI at least, and possibly Microsoft across Europe already. So far we’ave seen nothing of that sort, and we;re not holding our breath.
The take-away of all this is the algorithmic enforcement of legal rules, whether it is through DRM, automated notice-and-take-down procedures, data-mining the spoils of untargeted surveillance or automated filtering of web-traffic to combat child abuse, is error-prone and ultimately counterproductive.
Watch that Windows update: FTDI drivers are killing fake chips (22.10.2014)
Chipmaker FTDI bricking counterfeit kit – USB-serial imitators whacked by driver update (23.10.2014)
FTDI, or how to run a company into the ground using DRM (25.10.2014)
(Contribution by Walter van Holst, EDRi-member Vrijschrift, The Netherlands)