On the effects of prohibiting dangerous files on the Internet

New South Wales (Australia) recently enacted a new legislation to regulate gun control with the Firearms and Weapons Prohibition Legislation Amendment Bill 2015. It is the first of its kind in that it tries to control digital fabrication of firearms, it aims: "to create a new offence of possessing digital blueprints for the manufacture of firearms on 3D printers or electronic milling machines".< href="http://www.legislation.nsw.gov.au/bills/docref/5bb4f02b-1f1e-48b2-aa93-955574e699f6"> Source (PDF)

In this brief blog post we refer to a larger conversation that is taking place in the scope of the Digital DIY project, initiated by Vincent Mueller (< href="blogs/end-gun-control-digital-diy/">The End of Gun Control ), Wouter Tebbens and Marco Fioretti (< href="blogs/threats-dangerous-information/">The Threats of Dangerous Information), Alexander Erler (< href="blogs/digitally-manufactured-weapons-can-they-be-controlled/">Digitally manufactured weapons: can they be controlled?) and now Vincent Mueller with < href="blogs/it-has-happened-legal-ban-digital-diy-files/">It has happened: A legal ban on digital DIY files . This post is co-authored by Wouter Tebbens and Marco Fioretti.
The recently approved bill in NSW includes a section 25B that defines the "new offence to prohibit the possession of a digital blueprint for the manufacture of a prohibited weapon on a 3D printer or on an electronic milling machine. The offence is to carry a maximum penalty of 14 years’ imprisonment."
We should ask ourselves what the likely impact will be of such legislation. Arguably it may have a symbolical and therefore some deterrent effect, but would it be likely to stop anyone really serious to produce an unregistered firearm?
One first limit of the bill as proposed is the focus on digital blueprints for DIY 3D printing or CNC milling of firearms, which makes one wonder if it is just a consequence of the popularity of those specific technologies in mainstream media. It is true that those specific techniques are those that offer the greatest guarantees to be able to produce (some day) DIY firearms as effective and reliable as traditional ones, even to people without particular manufacturing skills.
However, if the goal is to prohibit the possession of information or instructions for production of DIY firearms (and regardless of one's opinion on such a a goal, in and by itself), targeting blueprints for 3D printing or CNC milling doesn't accomplish much.
Both the Internet and traditional libraries are, in fact, full of blueprints or equivalent resources to make DIY weapons. If having a blueprint to make a DIY firearm with 3D printing on one's computer is a criminal offence, then why making a digital or paper copy of the Web pages returned by a simple web search for DIY guns be any  different? See e.g.:
  • < href="http://www.motherjones.com/politics/2013/05/ak-47-semi-automatic-rifle-building-party">Forget 3D-printed guns. I Built This AK-47. It's Legal and Totally Untraceable
  • < href="http://gizmodo.com/its-way-too-easy-to-build-your-own-gun-from-ebay-1690781165">It's Way Too Easy to Build Your Own Gun From eBay
  • < href="http://www.wikihow.com/Make-a-Real-Gun">Make a real gun
Even if the techniques specifically mentioned in the bill, that is 3D printing and CNC milling, were the only ways to manufacture DIY really dangerous weapons as firearms are, this would not change things much.
Consider that the CNC machines to produce anything from spare parts to custom made designs, from knifes to firearms, are there to buy off-the-shelf or to build yourself, using Open Source Hardware designs and standard, readily available parts. Only the so called lower receiver would currently be the harder part to acquire, as we know that to be available on the market in the USA, but likely not so in Europe. But we can easily assume that sooner rather than later, also these parts will be available in digital formats, to be made with appropriate digital fabrication tools. These kind of machines - CNC mills or 3D printers - are general purpose machine tools and their designs are shared over the Internet through globally sharing communities, like RepRap, a poster child of the Digital DIY and Maker movement. So we can agree that 1) nobody is going to stop the sharing of design files for such general purpose machines and 2) they are evolving every day so even the making of firearms will become easier and the resulting arms better.
Now this bill doesn't target the machines itself per sé, but it targets the "digital blueprint for the manufacture of a prohibited weapon". So we should ask ourself what we can learn from past experiences with a similar purpose. Remember the War on Filesharing Part I,  where the copyright industry tried to protect its old business model  from people sharing  films, software and music. History has shown that  the filesharing didn't stop and in fact is now living side by side with commercial online music and video stores (the industry ended up adapting its business model at least partly). Remember also the cryptowars (< href="https://www.didiy.eu/blogs/threats-dangerous-information">see here).  Such legal actions have shown one important thing: they are not effective in a distributed network like the Internet.
More concretely, even if laws didn't permit such activity and worldwide campaigns to discourage sharing ("piracy") were waged even in schools (against copying and sharing, which in fact is a basic element of learning), three technical means have enabled to exchange files between peers. First we have BitTorrent, the most advanced p2p filesharing protocol, second we have end-to-end encryption and third we have anonymity services like Tor. These three parts explain why filesharing of any sort of files has not decreased despite all pressure against it, and there is no way to expect it will make files that contain "dangerous information" inaccessible. Possibly it will be a bit harder to obtain such files, but anyone seriously interested will be able to get them. 
Besides the limitation to a deterring effect, the referred legislation may do harm. First it doesn't seem to do much good to enforceability and therefore is likely to have a negative impact on the reputation of the police and the judicial system. But there maybe more chilling side effects. This law is still rather specific that it refers to a "prohibited weapon", however the question remains: who gets to decide what information is considered dangerous? When we're dealing with easily recognisable firearm blueprints, then things are clear and undisputed, but what when the components are shared individually? Or when is something considered sufficiently dangerous and illegal? At some point one might be inclined to consider a knife dangerous and thus prohibit designs of such practical tool as well. Generic components can be innocent until they're put together to form a dangerous weapon. 
Maybe the bigger problem with that part of that bill is that it includes the concept that, in addition to actually owning, using or doing something dangerous, even the mere act of possessing information or instructions about how to build or do something dangerous is a reason to go to prison. Could a journalist,  under that bill, collect documentation to write an article about the dangers of 3D printed weapons? And that isn't even the worst part.
"Information  or instructions about how to build or do something dangerous" is  everywhere, in all forms and for many uses, both absolutely legitimate,  from fantasy novels and trekking manuals to the Unabomber manifesto or Breivik's  European Declaration of Independence. Under the principle in that bill, a teacher or parent could not read those texts to figure out how to prepare their children to recognise and reject such madness. Who decides, and how, what is "information about dangerous things or objects" whose mere "possession" deserves inprisonment? 
We should acknowledge here that many policymakers unfortunately have little understanding of the technical architecture of the Internet, and/or consider that people's privacy is not something important enough to be guaranteed. In this sense we can appreciate that there is already a war against encryption, since, or before even, Edward Snowden revealed the practices of massively automated spying by the National Security Agency. Since the Paris attacks this month, certain policymakers are lobbying again for the ban of strong end-to-end encryption, so they can continue to expand the surveillance state.
What happens to our right of privacy and anonymity in this ever expanding net of internet communications being constantly monitored and automatically generating profiles on any connected citizen, suspicious of no offence, but suddenly linked to criminals because s/he happened to be on the same public space at the same time?
We are living in a transition from centralised to distributed networks, which has a profound impact on our way of life. Before we were used to live in a nation state with democratically elected governments who were in control of how society works, in tandem with big companies that were in control in "their" markets. Enter the distributed networks, the age of the Internet. Now we are entering an age of uncertainty, first because we don't know yet exactly how we can best organise, and second because there is no single central entity anymore that is in control.  We seek new norms to govern our community, new ethics, new rules.
< href="http://www.dw.com/en/some-governments-dont-want-to-discuss-mass-surveillance/a-18848685">UN Privacy Rapporteur  Joe Cannataci warns about the loss of privacy and the rise of cyberwar: "Cyberspace risks being ruined by Cyberwar and Cyber-surveillance but Governments and other stakeholders should work towards Cyberpeace". About privacy he remarks: "In its modern context, privacy needs to be taken as a fundamental human  right, together with two other rights which are freedom of expression  and freedom of access to publicly held information. These three rights  together are the tripod on which rests an over-arching fundamental right  recognized by some countries as the right to free, unhindered  development of personality."
For resolving the complex dilemmas of our changing times (of systemic change indeed) let's make sure we think in distributed networks and not in centralised forms of control. We suggest we focus on its main ethical values of freedom and autonomy, sharing and solidarity, sustainability and human dignity (summarised from < href="http://wiki.freeknowledge.eu/index.php/FKI:Strategy">FKI's core values ). These relate to a moving away from responsibility transferred to central governments or multinational corporations; it means we have to understand the risks ourselves and take responsibility for the things we do, self-organise and work together, bottom-up instead of top-down. 
Let's stress here once more that we share the worry for new threats that derive from digital fabrication of guns. But we don't think the legal initiatives such as the bill from NSW in Australia are the most appropriate way forward. If we recognise the systemic changes and the nature of the network society (as defined by  Manuel Castells (The Rise of the Network Society, 1996) we are in a better position to conceive of an effective policy answer. A social code or contract based on voluntary adherence would be seem to be more in this direction than a top-down prohibition of filesharing - after all recent history has shown how unenforceable such initiatives are in practice. This could be combined with controlling the distribution of certain critical parts or materials and possible discouraging measures. But prohibiting filesharing on a decentralised network like the Internet is deemed to be ineffective or even counterproductive.


Hi Wouter and Marco, thanks for this helpful commentary on NSW’s new bill. I certainly agree with you that it cannot be enough, on its own, to forestall the risks from digitally manufactured firearms – it needs at least to be coupled with the sort of measures we have discussed in our previous blog posts. However, let me suggest a slightly more optimistic take on the possible benefits of this piece of legislation. Perhaps its deterrent effect will be amplified if it can also serve after a criminal act has been committed with a digitally manufactured weapon: for instance, if the perpetrator of gun violence obtained his digital blueprint from someone else who also didn’t have the permission to possess such a thing. If this latter person could be tracked down (which might not require the sort of indiscriminate surveillance that you rightly find problematic, and that would be needed to discover illegal blueprints before they were used), he would himself face a prison sentence of up to 14 years. This would give the possessors of such blueprints a weighty reason not to share them carelessly with others who might use them to ultimately commit violent acts. Wouldn't it?

Hi Alexander,

At a practical level, I am almost certain that a bill like this can serve ONLY "after a criminal act has been committed", not "also": it is so very easy to hide possession of such files, without even using encryption, that use it for harsher punition after a crime is the only deterrent it can possibly have.

At the same time, I am concerned that getting approval for a bill like this can encourage lawmakers without a real understanding of how the internet and software actually work to approve other law proposals that only limit civil liberties. If they believe that a bill like this can prevent crime, they would also approve bills for automatic, mass online surveillance, for example.

At a different, ethic level, the very principle that one needs "permission to possess" information on how to build something dangerous, rather than actually manufacturing, having and using it, concerns me. I am worried that it can lead to worst abuses than those I have already mentioned. There are all sort of works that may be made illegal going down that path, including schoolbooks.

About the deterrent effect on those who supply the blueprints to those who actually use them to "ultimately commit violent acts": on one hand, I feel that it would do more harm than good to society as a whole. There is no way to share digital information "carefully". Either you never share it with anyone, or it will go everywhere, eventually. So there will be people who will simply ignore the bill, and people who will refrain from certain activities altogether, including education and research, simply to avoid the hassle to get permission. 

On the other hand, the simpler laws are, the easiest it is to both accept and enforce them effectively (one may also say that the simplest laws are the more ethical they are): at this level, I first wonder if there is the need for legislation so specific. If I assisted or "enabled" somebody to commit a crime, I can already be investigated/punished with existing laws.

For example, I do agree that supplying blueprints to someone who then actually 3D printed a gun to do a mass shooting should be legally handled like supplying him a traditional firearm: but why make a different law for it? Also, if specific legislation against DIY weapons is needed (which I don't think), why it doesn't include e.g. chemical recipes to make explosives, or the mere acts of making, watching, sharing or copying one of the many tutorials on Arduino or cell phone detonators now on YouTube and other places? That is as Digital DIY as 3D printing a gun at home.


Vincent C. Müller's picture

Thanks for the thoughtful post.

Paradoxically, my concern is a principled one, and the real question is probably technical: Yes, we know that filesharing of music has produced a situation where illegal and legal activities continue, and where the ethical views of many people change towards less protection of intellectual property rights. But this might not happen in other cases where the political will is stronger.

Say there is some file that politicians around the world REALLY do not want to be spread, could they not prevent this, could they not make the risk very high that you are caught? In principle? (I also think that in some cases they should, but that's a different matter.)

This is why I say the real question is technical.

VCM (www.sophia.de)

Wouter Tebbens's picture

First I think we deal with various principles here. One is making filesharing of certain files illegal. Another is to respect people's privacy. Another is respect people's access to information and freedom of speech. One way to look at it is to weigh these various principles and see how far do you want to go to assure control over firearms.

A second way of looking at it is to take into account the technicalities or workings of the Internet. Apart from entering in very much technical detail, we can however learn from the past.

Vincent, you ask about stopping the spreading of digital information in a decentralised network. Some lessons we can draw, apart from the ones we mentioned already in the various blogposts:

  • Barbara Streisand: tried to stop the spreading of a photo of her house in Malibu: nowadays we now it as: The Streisand effect is the phenomenon whereby an attempt to hide, remove, or censor a piece of information has the unintended consequence of publicizing the information more widely, usually facilitated by the Internet.
  • Silk Road: the darknet market place where anything forbidden was sold through the net and with cryptocurrencies. When the person running the central marketplace was arrested by the FBI end 2013, several copies have sprung up and it appears far from being under control. In fact various very powerful p2p distributed platforms are developing using blockchain technology inspired on BitCoin that have anonimity, collaboration and sharing at its core. Very positive in many senses, but also uncontrollable in other ways.

I think that the improbability to stop filesharing of a specific file has been demonstrated by now, don't you think? That really depends on blocking the original copy from being published. Once the ghost is out of the bottle...

If we accept the nature of distributed and decentralised networks such as our Internet, can we then agree to seek for other solutions than making digital files illegal?

When the possession of physical versions of unregistered dangerous weapons is illegal (as I understand it is), as well as the usage of such weapons inflicting harm unto others is illegal, why would that not be sufficient?

Right now the threat of the weapons in question is mostly towards the DIYer trying to make such weapon and gets injured himself. And possibly in the future this may change, but I think we shouldn't adopt such unenforceable laws that have negative impact on some very fundamental rights.

Wouter Tebbens's picture

Apart from the technical impossibilities of blocking filesharing, also legally it is not that easy.

Just as a reference, look at the Pirate Bay, today in the news again (wasn't it seized and dead by now?):

As it is, the UK’s 2012 attempt boiled down to going after the middleman. As we said at the time, it was like blaming the postman for delivering an illegal item, like a pirated DVD.

The Stockholm court thought likewise, finding that Bredbandsbolaget’s operations as an ISP don’t make it a participant in whatever copyright infringement might be carried out by its pirate subscribers.

Many Europeans countries do, in fact, block Pirate Bay, but anti-piracy groups have their hearts set on throttling it in its own homeland.

If you eyeball the list of countries that block – or try to block – Pirate Bay, you’ll see that many are wrangling with their ISPs over the issue.


Wouter Tebbens's picture

Today I read the news of US government starting a mandatory registry of recreational drones. Commercial UAVs are still banned unless they ontain a formal exemption.

So I'm wondering whether this might be a useful alternative for the challenges we may get in the area of DiDIY made weapons.

If we follow the example, we could have a regulation that requires DIYers to register the weapons they make in an online registry and obtain an ownership certificate with a unique identification number.

If one wants to sell weapons, the existing legislations already would cover that. But DIY and in particular DiDIY are not regulated and are our concern.

The US drone regulations seem to impose a very steep curve of sanctions for not registring. Similar sanctions could be thought of.

Weapons are a serious thing, and we could therefore expect people to comply with such legislation. There will always be a minority who doesn't comply, because they don't care or otherwise, but the objective is to minimise that.

Would a regulation along these lines be feasible and acceptable to us? I think it would be better that no regulation as we have currently. And at the same time wouldn't forbid filesharing on the Internet.

If you are worried of terrorism, please notice that none of these regulations is likely to have any effect. Also, terrorists have until date preferred and be able to source their weapons from black markets and haven't yet relied on fancy digital fabrication technologies as we know.

Interesting idea, Wouter. Though the new US regulation doesn’t appear to involve a mandatory background check before someone is granted the relevant ownership certificate, which I think would be necessary in the case of digitally manufactured weapons. 

I would think that background checks are "out of scope" in one specific sense, that is:

that every state will and should deal with them as it deals with the same matter in the non-DiDIY case. European states, as far as I know, mostly do background checks on on potential weapons owners, while USA does not, basically, but that is for reasons directly linked to their Constitution and history. 

Regulating actual possession and usage of physical weapons: surely yes, and personally I suggest that this can and should be done with an extension of the same principles and laws that already exist. Example:

  1. deal with every physical weapon actually possessed, whatever its origin/supplier is, with the same  procedures, i.e. mandatory registration, unique number etc... BUT (ONLY ADDITION...):
  2. if the weapon is self-built (regardless of the actual technology used!) get an additional license as "diy, non commercial weapon manufacturer" which is given only if the applicant proves he or she can manufacture weapons that, for example, don't explode in the hands of their user

I am not sure yet that this would be doable/recommendable, but at least this would be legislation that directly addresses (within the limits already described by Wouter) the harmful consequences of actually having a physical weapons, without giving additional reasons for censorship etc