Return-Path: <sentto-279987-2401-1001567991-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 26 Sep 2001 22:24:08 -0700 (PDT) Received: (qmail 1020 invoked by uid 510); 27 Sep 2001 05:21:25 -0000 Received: from n27.groups.yahoo.com (216.115.96.77) by 204.181.12.215 with SMTP; 27 Sep 2001 05:21:25 -0000 X-eGroups-Return: sentto-279987-2401-1001567991-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by fh.egroups.com with NNFMP; 27 Sep 2001 05:21:08 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 27 Sep 2001 05:19:50 -0000 Received: (qmail 13494 invoked from network); 27 Sep 2001 05:19:50 -0000 Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 27 Sep 2001 05:19:50 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 27 Sep 2001 05:21:05 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id WAA02727 for iwar@onelist.com; Wed, 26 Sep 2001 22:21:05 -0700 Message-Id: <200109270521.WAA02727@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 26 Sep 2001 22:21:04 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Anticircumvention.Rules:.Threat.to.Science] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Anticircumvention Rules: Threat to Science Pamela Samuelson, Science, 9/26/2001 <a href="http://www.sciencemag.org/cgi/content/full/293/5537/2028">http://www.sciencemag.org/cgi/content/full/293/5537/2028> Scientists who study encryption or computer security or otherwise reverse engineer technical measures, who make tools enabling them to do this work, and who report the results of their research face new risks of legal liability because of recently adopted rules prohibiting the circumvention of technical measures and manufacture or distribution of circumvention tools. Because all data in digital form can be technically protected, the impact of these rules goes far beyond encryption and computer security research. The scientific community must recognize the harms these rules pose and provide guidance about how to improve the anticircumvention rules. Recent legislation in the United States and Europe whose ostensible purpose is to protect copyrighted works from pirates is being used to inhibit science and stifle academic research and scholarly communication. The threat to science is illustrated by strong-arm efforts of the Recording Industry Association of America (RIAA) and the Secure Digital Music Initiative (SMDI) Foundation to use the anticircumvention provisions of the Digital Millennium Copyright Act (DMCA) to suppress publication of a paper by Edward Felten of Princeton University's Computer Science Department and several coauthors (1). Felten's paper described weaknesses in digital watermarking technologies that RIAA and SMDI hoped to use to protect commercially distributed digital music (2). RIAA and SDMI asserted that the researchers could not publicly disclose details of their research without violating the DMCA (3). Unfortunately, such an assertion must be taken seriously because all too often in recent years, when courts have perceived a conflict between intellectual property rights and free speech rights, property has trumped speech (4). Computer security and encryption researchers are far from the only scientists who have reason to fear the DMCA. Any data in digital form can be protected by encryption and other technical measures, and those who distribute digital data in this manner can use the DMCA to restrict what scientists or other researchers can do with the data. The DMCA establishes several new rules to protect copyright owners. First, the DMCA bans the bypassing of technical measures used by copyright owners to protect access to their works (5). Second, it outlaws the manufacture or distribution of technologies primarily designed or produced to circumvent technical measures used by copyright owners to protect their works (6). Third, it makes removal or alteration of copyright management information (CMI) from digital copies of copyrighted works illegal (7). Copyright industry lobbyists persuaded Congress to adopt these rules to reassure rights-holders that when they used technology to identify their ownership rights (e.g., by digital watermarks) or to protect digital copies of their works (e.g., by encryption), pirates could not simply strip the CMI from those copies or use countermeasures to undo the encryption to facilitate copyright infringements (8). The major recording industry firms who belong to RIAA plan to implant watermarks in digital recordings not only to identify their ownership rights but also to ensure that the music can only be played or copied if the watermarks authorize it (9). For this plan to work, the consumer electronics industry and makers of music-player software for PCs must build systems designed to read and conform to these watermarks. SDMI is the multi-industry consortium formed largely at the instigation of RIAA to develop technical standards for watermarks and compliant devices and player software. In September 2000, SDMI announced its selection of certain technologies as candidate standards and issued a public challenge encouraging skilled technologists to try to defeat these technical protection measures (10). SDMI even offered to pay $10,000 per broken watermark to anyone who demonstrated to SDMI's satisfaction that his or her attack had been successful. Felten and his collaborators decided to accept the challenge, although they decided against seeking the prize money because SDMI was only willing to award it to those who agreed not to reveal how they defeated the watermarks to anyone but SDMI (11). Felten and his collaborators made no secret of the fact that they were writing a paper on the results of their research about the SDMI watermarks (12). When an executive from the developer of one of the candidate watermarks asked to see the paper, Felten sent him a draft. This executive and RIAA then tried to persuade Felten to omit from the paper certain details about the weaknesses of the SDMI technologies. Felten and his coauthors decided that these details were necessary to support their scientific conclusions. There ensued numerous conversations between representatives of SDMI and RIAA, on the one hand, and Felten, his coauthors, members of the conference organizing and program committees, and lawyers from institutions with which these persons were affiliated, on the other hand. SDMI and RIAA asserted that any presentation of the paper at a conference or subsequent publication of the paper in the conference proceedings would subject these persons and their institutions to liability under the DMCA and made clear their intent to take action against the researchers unless they withdrew the paper (13). Although convinced that they would be vindicated if the matter went to court, Felten and his coauthors reluctantly withdrew the paper from the April conference out of concern about the high costs of litigation (14). This decision was widely reported in the press and has had a chilling effect on the willingness of cryptographers to publish the results of their research (15). Since then, the Electronic Frontier Foundation has agreed to represent Felten and his coauthors in an affirmative challenge to the RIAA and SDMI claim that seeks a judicial declaration that presenting or publishing this paper does not violate the DMCA (16). The idea that Felten's paper violates the DMCA initially seems absurd on its face. Whatever plausibility it has is due to a broad interpretation given to the DMCA rules in a trial court decision in Universal City Studios, Inc. v. Reimerdes in August 2000 (17). Universal sued 2600 Magazine and its publisher Eric Corley (a.k.a. Emmanuel Goldstein) because 2600 posted a copy of a computer program, known as DeCSS, as part of its story about a young Norwegian hacker Jon Johanssen who figured out how to bypass the Content Scrambling System (CSS) used to protect commercially distributed DVD movies. Johanssen wrote DeCSS and posted it on the Web so that others could benefit from what he had learned. Universal convinced the trial judge that DeCSS was an illegal circumvention technology, the public availability of which threatened the viability of the motion picture industry (even though Universal did not produce any evidence that DeCSS had ever actually been used to make an infringing copy of the plaintiffs' movies; it was enough, in Universal's view, that the program could be used for this purpose). After being ordered in January 2000 to take down DeCSS from the 2600 site, Corley decided to link to sites where DeCSS could be found. In August 2000, the trial judge ruled that linking also violated the DMCA and forbade posting or linking to source or object code forms of DeCSS. The judge rejected Corley's First Amendment defense because of the functionality of DeCSS and the danger that the program posed to Universal's market for copyrighted movies. Under this judge's reasoning, even an English-language version of DeCSS might violate the DMCA. SDMI and RIAA regard Felten's paper as providing a functional recipe for circumventing the SDMI watermarks that posed dangers to the recording industry akin to those that DeCSS posed for the motion picture industry. SDMI and RIAA have not been willing to concede that writing and distributing a paper describing the results of reverse engineering of a technical protection measure are different from writing and distributing an executable program capable of defeating that measure [but for the fact that SDMI issued a public challenge to the technical community to try to break the technical protections they had devised, SDMI and RIAA would undoubtedly argue that the reverse engineering of publicly disseminated watermarking technologies, whether for academic research or for piratical purposes, violates the DMCA rule against alteration or removal of copyright management information (18)]. The ruling against Corley is on appeal. One can always hope that the appeals court will give the DMCA a narrower interpretation than the trial judge did and that this narrower interpretation will propagate in other cases. In the meantime, the DMCA is a cloud on the horizon for all computer security and encryption researchers, whether they operate in an academic or commercial setting, if their work has any potential application to protecting digital content. Although the DMCA rules contain narrow exceptions for computer security and encryption research, practitioners in these fields take little comfort in them (19). Several prominent cryptographers submitted an amicus (friend of the court) brief in the Corley case in which they characterized the encryption research exception as "so parsimonious as to be of little practical value" as well as being based on a "fundamentally mistaken conception of cryptographic science" (20, 21). It applies, for example, only if the researcher is employed or has been trained as a cryptographer, even though some brilliant breakthroughs in this field have come from amateurs (22). The researcher must also seek permission from affected rights-holders before trying to reverse engineer encryption technology (23). The exception further requires the researcher to prove that his or her research was necessary to advance the state of the art when the researcher may just be trying to understand how a technology works (24). In addition, the exception may be unavailable if the researcher publishes his or her results on the Internet because this will make them accessible to potential pirates (25). But the most fundamental point is that "the science of cryptography depends on cryptographers' ability to exchange ideas in code, to test and refine those ideas, and to challenge them with their own code. By communicating with other researchers and testing one another's work, cryptographers can improve the technologies they work with, discard those that fail, and gain confidence in technologies that have withstood repeated testing" (20). Encryption and computer security cannot get stronger if researchers in these fields are at risk of liability from the DMCA for merely working in their chosen field and communicating with one another about it. The implications of the DMCA for science are not limited to computer security and encryption researchers. Virtually all computer scientists, as well as many other scientists with some programming skills, find it necessary on occasion to reverse engineer computer programs. Sometimes they have to bypass an authentication procedure or some other technical measure in order to find out how the program works, how to fix it, or how to adapt it in some way. The act of bypassing the authentication procedure or other technical measure, as well as the making of a tool to aid the reverse engineering process, may violate the DMCA. Although the DMCA also has an exception for reverse engineering of a program (26), it too is narrow. It only applies if the sole purpose of the reverse engineering is to achieve program-to-program interoperability and if reverse engineering is necessary to do so (27). Trying to fix a bug or understand the underlying algorithm does not qualify. Information even incidentally learned in the course of a privileged reverse engineering process cannot be divulged to any other person except for the sole purposes of enabling program-to-program interoperability (28). Under a strict interpretation of the DMCA, a reverse engineer could not, for example, publish lawfully obtained interface information or details of the program's authentication technique in an academic or research paper. Other evidence of the narrowness of the reverse engineering exception can be seen in the trial judge's response to Corley's interoperability defense (29). Jon Johanssen testified at Corley's trial that he developed DeCSS to help the Linux programmers develop a Linux-based DVD player. The judge rejected this defense for several reasons: First, DeCSS did not have as its sole purpose the achieving of interoperability because it could also be used to bypass CSS on a Windows-based system. Second, DeCSS might help achieve data-to-program interoperability, but the statutory exception only permits program-to-program interoperability. Third, even if Johanssen had been eligible for the interoperability privilege, Corley--a mere journalist--was not because he was not trying to develop an interoperable program. Of course, any data in digital form--not just sound recordings and motion pictures--can be protected by technical measures. Those who disseminate digital data may want to restrict what researchers can do with the data. Imagine, for example, that a pharmaceutical company produces data to prove that a new drug is safe but technically protects it so that only certain tests can be performed on the data, all of which support the safety claim. A scientist who doubted the safety claim and tried to process the data by additional tests would violate the DMCA if he or she bypassed the access control system restricting use of the data (30). Or imagine that this pharmaceutical firm put the data on an access-controlled Web site available only to those who agreed to licensing terms forbidding use or disclosure of the data or test results except as authorized in the license. A scientist who tried to access the data without agreeing to the license might also run afoul of the DMCA. Microsoft once posted a certain technical specification on a Web site, access to which was designed to be available to researchers only if they clicked "I agree" to a license that forbade disclosing details of the specification (31). A smart technologist figured out how to bypass the click-through license and posted instructions about it on slashdot.org, after which there was a heated debate about the specification on slashdot. Microsoft learned about the slashdot postings and demanded that slashdot delete these messages on the theory that they violated the DMCA's anticircumvention rules. Microsoft is surely not the only entity in the world that wants to control a wider community's use of its information and will find the DMCA a useful tool for achieving this objective. Advances in technology now permit very fine-grained control over access to and use of information. This control has been powerfully reinforced by the DMCA, and it enables firms and individuals to engage in "privication" (i.e., "the mass distribution of information to `authorized' users with tight control over its use") (32, p. 1218). This disturbing practice may well creep from one subdiscipline of science to another unless the scientific community recognizes the potential threat that privication and the DMCA pose for preservation of the norms and practices of science. The question, then, is whether science can do something about it. I am optimistic that the scientific community can make a difference because it has been able to mobilize and make an effective case for policy change when expansions of intellectual property rights, actual or proposed, were about to have serious repercussions for science (33). The scientific community has played an important role in holding back a vast expansion of intellectual property rights to the contents of databases. Back in 1996, the European Commission realized that many commercially valuable databases did not qualify for copyright protection because they exhibited insufficient creativity in selection and arrangement of data and that when databases did qualify for protection, the copyright in them did not protect the data themselves from being reselected and rearranged. So the Commission proposed a new form of intellectual property protection for the contents of databases, and in 1996, this new legal regime was mandated in the European Union. Now any person or firm that expends substantial resources in compiling data in the European Union has a legal right to prevent anyone else from extracting or reusing all or a substantial part (whatever that means) of the contents of the database for 15 years (34). Additional expenditures in maintaining the database will renew the term of protection, which arguably gives European data compilers perpetual rights in the data in their databases (35). Although scientists in Europe seem not to have been consulted when this law was wending its way through the European Commission and Parliamentary approval process, scientists in the United States recognized that such a law posed serious problems for traditional norms and practices of science (36). They did not object to giving databases some legal protection but argued that the European Union database right went too far. So they organized a successful effort in late 1996 to persuade the Clinton Administration to back away from support for an international treaty to universalize the European database rules that a senior U.S. official had previously endorsed (37). These organizations also helped to persuade the Clinton Administration to moderate its stance on several digital copyright issues, including whether fair use would survive in the digital age, scheduled for consideration at a diplomatic conference in December 1996 (38). Thanks in no small part to these efforts, the treaty eventually adopted was balanced and sound. Since 1996, the American Association for the Advancement of Science and the National Academies of Science and Engineering have been among the scientific organizations that have worked together to oppose European Union-style database legislation in Congress and in the international arena (39). So far they have been successful, but database bills will be back, and victory in future rounds will depend on continued vigilance. The scientific community has not been as active about the DMCA anticircumvention rules, perhaps because the threat they posed seemed too abstract and diffuse. But now that the threat that these overbroad rules pose for science is more evident and immediate, it may be the right time to focus on the DMCA. There are at least two ways to do this. One is to submit amicus briefs in pending cases to urge courts to give narrow interpretations to these rules to mitigate the harm to science. Another is to make suggestions to Congress about how the DMCA could be modified to provide a better balance between protection for copyrighted works and protection for scientific research and communications. One thing is certain: Better anticircumvention rules will not come about just because it is the right thing to do. This will only happen if the scientific community and others harmed by these overbroad rules are able to articulate why the DMCA rules are harmful and how legal decision makers can fix the problems with this legislation. REFERENCES AND NOTES 1. See, e.g., C. C. Mann, "Secure-Music Group Threatens Researchers Who Plan to Publish on Hacking Success," Inside Magazine, 22 April 2001, available at www.inside.com. 2. The paper was entitled "Reading Between the Lines: Lessons from the SDMI Challenge" and was scheduled for presentation at the Fourth International Information Hiding Workshop in Pittsburgh, PA, on 26 April 2001. For further details, see SDMI challenge FAQ at www.cs.princeton.edu/sip/sdmi/faq.html. 3. A copy of the RIAA letter to Felten asserting that presentation or publication of the researchers' paper would violate the DMCA is available at cryptome.org/sdmi-attack.htm. 4. See, e.g., M. A. Lemley and E. Volokh, Duke Law J. 48, 147 (1999) (giving examples). 5. 17 U.S.C. sec. 1201(a)(1)(A). This provision is subject to seven exceptions, three of which are discussed in this viewpoint. For a critical commentary on the DMCA anticircumvention regulations, see, e.g., P. Samuelson, Berkeley Technol. Law J. 14, 519 (1999) . 6. 17 U.S.C. sec. 1201(a)(2), 1201(b)(1). Subsection (a)(2) pertains to technologies that bypass access controls and (b)(1) to technologies that bypass other technical measures (e.g., copy controls) used by copyright owners to protect their works. 7. 17 U.S.C. sec. 1202. Unlike section 1201, this rule has no exceptions for research or other legitimate purposes. 8. See WIPO Copyright Treaties Implementation Act and Online Copyright Liability Limitation Act: Hearings on H.R. 2281 and H.R. 2280 Before the Subcommittee on the Courts and Intellectual Property of the House Committee on the Judiciary, 105th Congress (1997) (statements of Jack Valenti, Robert Holleyman, and Allan R. Adler in support of the anticircumvention rules). 9. For a concise description of the intended role of watermarks in protecting digital music in compliant devices, see the SDMI challenge FAQ at www.cs.princeton.edu/sip/sdmi/faq.html. 10. See "An Open Letter to the Digital Community" available at www.sdmi.org/pr/OL_Sept_28_2000.htm. 11. This is explained in the SDMI challenge FAQ at www.cs.princeton.edu/sip/sdmi/faq.html. 12. The facts in this paragraph are set forth in the complaint filed by the Electronic Frontier Foundation on behalf of Felten and his coauthors against RIAA and SDMI, which is available at www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_eff_complaint.html. 13. Also challenged was a chapter of a Princeton Ph.D. student's dissertation that discussed the SDMI challenge. This student successfully defended her dissertation and, in keeping with standard practice in her field, posted the dissertation on the Internet. Out of an abundance of caution after withdrawal of the Felten paper (of which she was a coauthor) from the April conference, she removed the SDMI chapter from the Internet. 14. Felten's statement when he announced withdrawal of the paper from the April conference is available at cryptome.org/sdmi-attack.htm. 15. See, e.g., (1); K. Dawson, "Watermarks...or Freedom?," Industry Standard, 7 May 2001. One Dutch cryptographer, Niels Ferguson, has explained the chilling effects that the DMCA has had on his willingness to publish the results of his research at macfergus.com/niels/dmca/index.html. 16. The complaint is available at www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_eff_complaint.html. Felten finally presented the paper at a USENIX conference on 15 August 2001. However, he and his coauthors continue to be concerned about DMCA liability for reasons set forth in court papers filed in response to RIAA's motion to dismiss the Felten lawsuit (also available on the www.eff.org). These concerns have been amplified by the recent arrest of a Russian programmer, Dmitri Sklyarov, for criminal violation of the DMCA rules because he wrote a program capable of bypassing an Adobe e-book program. 17. Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000). 18. The Felton v. RIAA complaint in (12) reflects concerns that the defendants claim that the researchers violated 1202 as well as 1201. 19. 17 U.S.C. sec. 1201(g), 1201(j). Felten may not be eligible for either privilege because the SDMI watermarks are not encryption and because the computer security exception does not apply to 1201(b), but only to 1201(a)(2). Neither privilege applies to 1202 claims. 20. Brief of Amici Curiae of S. Bellovin, M. Blaze, D. Boneh, D. Del Torto, I. Goldberg, B. Schneier, F. A. Stevenson, D. Wagner, in Universal City Studios, Inc. v. Reimerdes, to the Second Circuit Court of Appeals, 26 January 2001, available at eon.law.harvard.edu/openlaw/DVD/NY/appeal/000126-cryptographers-amicus.html. 21. Problems with the overly narrow and ambiguous encryption and computer security exceptions to the DMCA are discussed by the National Research Council [The Digital Dilemma: Intellectual Property in the Information Age 174-75, Appendix G (National Academy of Sciences Press, Washington, DC, 2000)]. 22. 17 U.S.C. sec. 1201(g)(3)(B). 23. 17 U.S.C. sec. 1201(g)(2)(C). The computer security exception requires that the researcher actually get, and not just ask for, permission to defeat the technical protection measure. 17 U.S.C. sec. 1201(j)(1). 24. 17 U.S.C. sec. 1201(g)(1), (g)(2)(B). 25. 17 U.S.C. sec. 1201(g)(3)(A). The encryption researcher must also provide affected copyright owners with the results of his or her research in a timely manner. 17 U.S.C. sec. 1201(g)(3)(D). 26. 17 U.S.C. sec. 1201(f). 27. 17 U.S.C. sec. 1201(f)(1). 28. 17 U.S.C. sec. 1201(f)(3). 29. The interoperability defense is discussed in Universal City Studios, Inc. v. Reimerdes, 82 F. Supp. 211 (S.D.N.Y. 2000) (ruling on the preliminary injunction motion), 111 F. Supp. 2d 294 (S.D.N.Y. 2000) (ruling after trial). 30. See A. W. Appel, E. W. Felten, Comm. ACM 43, 21 (September 2000) (giving examples of academic research that might be illegal under a strict interpretation of the DMCA rules). 31. See J. E. Cohen, "Unfair Use," The New Republic, 23 May 2000 (available at www.tnr.com/online/cohen052300.html). 32. J. Zittrain, Stanford Law Rev. 52, 1201 (2000) [ISI][Medline]. 33. The scientific community expressed doubts, for example, about the patenting of expressed sequence tags (ESTs) of DNA of unknown functionality. The U.S. Patent and Trademark Office thereafter issued new guidelines to require a known utility for patenting of ESTs that substantially alleviated, even if they did not totally resolve, this threat to science from overbroad patent rights. 34. Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the Legal Protection of Databases, 1996 O.J (L 77) 20. 35. For a critical commentary on the EU database directive and kindred U.S. legislation, see, e.g., J. H. Reichman and P. Samuelson, Vanderbilt Law Rev. 50, 51 (1997) . 36. See, e.g., National Research Council, Bits of Power: Issues in Global Access to Scientific Data (National Academy of Sciences Press, Washington, DC, 1997) (expressing concern about European Union-style database protection). 37. The role of scientific organizations in facilitating changes in U.S. policy is recounted in (38). 38. P. Samuelson, Va. J. Intl. Law 37, 369 (1997) . 39. These efforts are recounted by J. H. Reichman and P. F. Uhlir [Berkeley Technol. Law J. 14, 793 (1999)]. 40. I gratefully acknowledge research support from NSF grant SEC-9979852. 10.1126/science.1063764 Include this information when citing this paper. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:50 PDT