Data v. Privacy

security

HB 4938: The Great Firewall of Michigan

by Leave a Comment

Thirty years ago, the US Congress tried to ban porn on the Internet via the Communications Decency Act of 1996 (CDA). The legislation was introduced with the goal of preventing harm to minors who could access objectionable material through home computers. While it was signed into law by Bill Clinton, it failed miserably with a unaminous Supreme Court striking it down in Reno v. ACLU because it was a gross overreach of protected speech and violation of the First Amendment.

Reno v. ACLU be damned, on September 11, 2025, Michigan Representative Josh Schriver introduced HB 4938 as the Anticorruption of Public Morals Act in the Michigan legislature. The bill essentially seeks to ban (1) all pornography and (2) any transgender-associated content.

Notably, it does so by forcing ISPs to filter content and (perhaps the worst idea in the bill) block VPNs.

Prohibited Content

All of the content restrictions are defined as “prohibited content” under the bill that includes an itemized list along with a catchall “any other pornographic material” as one of those items. The description addressing the transgender-associated content is defined as content that:

“Is a depiction, description, or simulation, whether real, animated, digitally generated, written, or auditory, that includes a disconnection between biology and gender by an individual of 1 biological sex imitating, depicting, or representing himself or herself to be of the other biological sex by means of a combination of attire, cosmetology, or prosthetics, or as having a reproductive nature contrary to the individual’s biological sex.”

We’ve seen a lot of shots at content restrictions through age verification laws in recent years and there appears to be a path to success in passing First Amendment muster under the current Supreme Court makeup. Notably, the Michigan Anticorruption of Public Morals Act is not an age verification law – it is an outright content ban for all Michigan residents.

In the face of age verification laws, internet users in 2025 have shrugged off such laws by turning on their VPNs. The new Michigan bill aims to close the VPN loophole by requiring ISPs to block them as “circumvention tools.”

VPNs, Proxy Servers, and Encrypted Tunnels, Oh My…

Under the proposed law, “circumvention tools” are defined as “any software, hardware, or service designed to bypass internet filtering mechanisms or content restrictions including virtual private networks, proxy servers, and encrypted tunneling methods to evade content restrictions.” As part of the content restrictions, Michigan ISPs are required to both filter prohibited material and block circumventions tools.

“An internet service provider providing internet service in this state shall implement mandatory filtering technology to prevent residents of this state from accessing prohibited material. An internet service provider providing internet service in this state shall actively monitor and block known circumvention tools.”

ISPs’ duty to filter content and block known circumventions tools brings with it fines up to $500k per violation. Do we think ISPs are going to risk penalties like this by being conservative with their content filtering or VPN blocking strategies?

While the definition qualifies the restricted tools as limited to those “designed . . . to evade content restrictions,” the required technical filtering and blocking requirement on ISPs open a privacy and security minefield.

The Great Firewall of Michigan

HB 4938 is channeling its inner China with the implementation mandate for platforms and ISPs. It requires private ISPs to do the government’s bidding by spying on its citizens. It will whittle away security and privacy in the name of public morality and cries of “oh, think of the children!” Quite literally:

These measures defend children, safeguard our communities, and put families first.

Who maintains the list of known circumvention tools? No way that list won’t be overbroad because there can’t be a legitimate use of VPNs other than through violations of public morality.

Technically speaking, how do you block VPNs? Common port numbers? Easily mitigated by changing to uncommon ports. VPN server-side IPs? No way that list stays up to date. There is no silver bullet for blocking VPNs at the ISP level.

Virtually every company in the US uses VPNs, proxys, technology that could be classified as “circumvention technology.” Cloudflare, Zscaler, ZeroTeir, Tailscale, et al. will need to be whitelisted for Michigan companies to give users access to the Internet. And that’s just the big cloud providers. Will every small business and remote worker in Michigan need to whitelist their IPs for site-to-site and remote VPN access? Good luck for remote workers at home with ISPs handing out IP addresses via DHCP.

Better yet, how about we just break the encryption so that state can see into all the traffic and catch the content criminals? Because there’s really no way to be sure without inspecting every user’s traffic.

That’s where this is headed again. That’s what Congress tried in 2020 with the EARN IT Act. Or, Clipper Chips in the 90s.

Bills like this are bad ideas from the start and make technology so dangerous for individual and enterprise security and privacy.

Easier traffic inspection = no privacy online.

VPNs banned = no security on lower trust networks and a nightmare of whitelisting the “good ones.”

Of course, there’s artificial intelligence in it…

No techno-mumbo-jumbo bill would be complete without at least some AI worked in there somewhere.

HB 4938 does not disappoint with its content moderation requirements for platforms to use “artificial intelligence driven filtering technology for preemptive removal of prohibited material.”

Awesome. We can just feed AI the definition prohibited content and expect it to implement this for us.

This fails to pass First Amendment muster, right?

To anyone with an honest reading of First Amendment jurisprudence, this bill goes nowhere. And if it did, it gets struck down with no hope of becoming an enforceable law. Right?

If something like this sees the light of day, watch out for the definition of “prohibited content” to creep. Hate speech. Extreme viewpoints. Disorderly speech.

And, whoever holds power will define what is acceptable content for the masses.

Nothing was your own except the few cubic centimetres inside your skull.
-George Orwell, 1984

Patching People When We Default to Truth

by Leave a Comment

When I was in college, I worked in loss prevention at JC Penney. I took the job very seriously with my $5.45/hr wage as I walked around the store in plain clothes pretending to be a customer but watching everyone else.

One day, I watched a woman in the baby clothing section grab a stack of clothes from the shelf, stuff them under her shirt, and walk out the door. As I approached her car, she was emptying the clothes into the back seat. I walked her back into the store and we waited for the police to arrive in the security office.

As I began filling out some required paperwork, she pleaded that she had done nothing wrong. She told me she had brought the clothes with her to return and decided not to. I started to wonder, could she be telling the truth? Did I miss something? She sounded so sincere… Was I wrong?

I Can’t Believe My Eyes!

My inner self was trying to rationalize that I was mistaken in what it just saw through my own eyes — that this woman was telling the truth and my eyes were the liars! I snapped out of second-guessing what I just watched happen and handed her over to the police.

Over the course of a short career in law enforcement and throughout depositions and negotiations as an attorney, this would not be the last time that my inner self would default to truth in the face of contradicting objective facts.

The Weakest Link and Truth-Default

The tired axiom that people are the weakest link in securing our data points to users as gullible or ignorant as a convenient excuse. However, the human failures point to much deeper roots in psychology. No matter how well-trained users are, we are hardwired to believe other people by default.

In Talking to Strangers, Malcolm Gladwell examined the case of the decorated Queen of Cuba, Ana Montes. She worked her way up to become a senior analyst at the US Defense Intelligence Agency and the resident expert on Cuba, all the while delivering classified information to the Cuban Intelligence Service.

Her deceit was spectacular. However, when she was cornered during an interrogation, several warning signs that she was a spy were not further pressed upon by the DIA counterintelligence officer because he rationalized her responses and defaulted to truth. As a result, her treason continued for years.

Here is a counterintelligence DIA officer (with years of specialized training and experience in catching spies and liars) who chose to reconcile incriminating evidence and behavior with a story that doesn’t add up. He simply rationalized the lies because we all default to truth.

Why?

Why do we default to truth?

According to Dr. Timothy Levine, operating on a truth-default basis “enables efficient communication and cooperation, and the presumption of honesty typically leads to correct belief states because most communication is honest most of the time.” Believing people is efficient! The downside, of course, is that we humans are particularly vulnerable to the occasional deceit.

The simple truth, Levine argues, is that lie detection does not–cannot–work the way we expect it to work. In the movies, the brilliant detective confronts the subject and catches him, right then and there, in a lie. But in real life, accumulating the amount of evidence necessary to overwhelm our doubts takes time.

Malcom Gladwell, Talking to Strangers

Social Engineering

As much as we train corporate IT systems users and the average consumer, people will invariably remain the weak link in the chain if we don’t provide compensating controls. Even the best and brightest are susceptible to deceit from the skilled social engineer.

In his book, Ghost in the Wires, notorious hacker and phone phreaker Kevin Mitnick walks us through his years of escapades as he wreaked havoc on Pacific Bell’s phone networks, among other companies and systems. He did so by understanding how the system worked and the technical and administrative controls put in place to specifically prevent him from gaining access.

In one exchange, Mitnick called a Pacific Bell switching center and encountered Bruce, a tech he had previously duped. Mitnick wanted to trace a phone number with Bruce’s help. While Bruce didn’t recognize Mitnick’s voice, he had been stung by social engineers before and requested a callback number. Unfortunately for Bruce, Mitnick was prepared with a Pacific Bell internal number that he had previously patched to his cell phone.

Now, how are we protect access to data with effective cybersecurity measures at scale when a skilled social engineer engages an employee or officer? How do we guard against a Kevin Mitnick?

I don’t think we can beat all of them – certainly not the Mitnicks of the world.

Compensating Controls for Being Human

We’re all susceptible to being deceived – from second-guessing our own eyes to trying to help out a remote technician who needs to fix a problem. However, better training and awareness can help limit the losses by people — and stronger technical and administrative controls can further mitigate the failures of people who naturally default to truth.

While people may never develop a skillset to intuitively detect deception (we are nearly universally terrible at detecting deception), social engineering awareness training coupled with appropriate technical and administrative controls can help us recognize situations that are prompting unauthorized data access attempts. Moreover, those data security measures and systems need to compensate for humanity’s truth-default bias and our inability to effectively detect deception. We can’t continue to blame people for being human.

References: