Oh the web we weave -- Red Hat fights the DMCA

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: John Wittig <john.wittig () proloquor com>
Date: Wed, 16 Oct 2002 14:30:32 -0500
To: dave () farber net
Subject: Red Hat fights the DMCA

http://www.theregus.com/content/4/26656.html

If I tell you that I'll have to kill you: Red Hat fights the DMCA
By John Lettice
Posted: 10/16/2002 at 04:33 EST


Red Hat has struck a small blow against the DMCA, by publishing a security
patch which can only be explained fully to people who are not within US
jurisdiction. The company's position here seems to be not altogether
voluntary -
 according to a spokesman "it is bizarre, and unfortunately something Red
Hat 
cannot easily do much about," but like it or not Red Hat has been recruited
to 
the campaign to make the DMCA look ridiculous.

The patch itself is on the Red Hat site, on this page, and the oddity here
can 
be seen if you go down to the bottom. Under the heading "references" there
is a 
link to http://www.thefreeworld.net/non-US/. At this point, those of you
reading this while within US jurisdiction should have a care. We will
endeavour 
to unfold the tale to you without exposing ourselves to action under the
DMCA, 
but we stress now that we are not encouraging you to do so, nor is it our
intention to provide you with the tools to do so.

Thefreeworld.net is not as yet an especially widely-known site, but its
purpose 
is explained here. Briefly, it notes that the US has shown a readiness to
bust 
individuals who perfectly legally publish information and software outside
of 
the US, on the basis that this is published to people within US
jurisdiction, 
among others. In order to publish this information without getting busted,
Thefreeworld.net uses a licensing agreement which specifically rules out
people 
within US jurisdiction. You can see the licence here, and again we stress
that 
people within US jurisdiction should not accept this licence.

This bit makes it all nice and clear:

By continuing you warrant that you:
* are not a citizen of the USA.
* are not under US jurisdiction, including embassies, naval vessels,
military 
bases and other areas of US jurisdiction.
* are permitted to import security information that may include information
that can be used to subvert copy or content protection, even though this is
not 
the primary purpose of the supply of this information.
* are not obtaining the information with the intent to commit a crime.
* understand the information is provided without fee and without warranty
and/or guarantee of correctness of any kind.
* acknowledge that by downloading the data outside of the European Union you
are performing an act of importation.

This rules out several Register staffers, and as Mr Orlowski in particular,
not 
being a US citizen but being within easy reach of the feds, is particularly
vulnerable to being lined up in front of a military tribunal in Cuba and
shot, 
we caution him to stay away.

So what's all this got to do with Red Hat? Well, non-qualifying people, we
can't exactly tell you that. But when we asked Red Hat about it we got an
official comment which at least partially explains it: "RHSA-2002-158 is an
errata kernel which addresses certain security vulnerabilities. Quite
simply, 
these vulnerabilities were discovered and documented by ppl outside of the
US, 
and due to the Digital Millenium Copyright Act legislation in the US, it is
potentially dangerous to disclose any information on security
vulnerabilities, 
which may also be used in order to circumvent digital security - i.e.
computer 
security. For this reason, RH cannot publish this security information, as
it 
is not available from the community in the first instance. The
www.thefreeworld.net site allows for accessing this information, but
requires 
you agree to terms which protect the author and documenter of the patches
from 
being accusations that they themselves have breached DMCA."

Got that? In some instances at least, the very act of explaining what has
been 
fixed by a security patch could be construed as explaining how the security
of 
a product could be breached, and hence could be viewed as a breach of the
DMCA. 

This is of course ridiculous. Does this mean that all of the companies
issuing 
security advisories are breaching the DMCA? Well, quite possibly. Does it
mean 
The Register's pole position security watcher John Leyden might be breaching
the DMCA every day of his life? Oh dear.

Obviously, it is ridiculous, and the notion that the DMCA could be used to
send 
virtually the entire security industry to prison for a very long time is
ridiculous - just as ridiculous as the idea that the US authorities are
going 
to start flying non-US citizens to Cuba to shoot them. But if neither of
these 
things are ever going to happen, why do the laws permit them? At the very
least, it's untidy.

It seems to us that the authors of the explanatory document which US
citizens 
are not permitted to read would have been most unlikely to get themselves
busted by just publishing it. We could of course be wrong, but it seems to
us 
the more likely purpose of the exercise was to make a point, which they have
done splendidly. 

The document has been copyrighted, and the authors have chosen to restrict
its 
distribution, and to use Thefreeworld.net licence as the mechanism for doing
so. Note that it is the copyright, rather than fear of the DMCA, that has
forced Red Hat to join in. Looking at the Ts & Cs we think it would probably
be 
OK (i.e. not a breach of copyright) for us to publish it here via a click-
through agreement for the benefit (or should that be continuing
deprivation?) 
of US readers, and we could adopt a DMCA defence wall along the lines of
Thefreeworld.net's in order to shield ourselves from the other stuff. Not
that 
we'd be any more likely to get busted than the authors, but we feel a
responsibility to support their stance here.

But as you already know where you can or can't read it, our duplicating the
mechanisms here would serve no purpose. Making points in the way the authors
have however does serve a purpose, because it keeps the DMCA in the public
eye, 
and exposes its stupidities. More of this would be good, and possibly most
excellent sport, we think.

And the perpetrators? It's not entirely clear, but Red Hat names some of the
people involved in the fixes. In addition, we understand that some guy
called 
Alan Cox might have been in some way connected. You may have heard of him. ®




------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
Archives at: http://www.interesting-people.org/archives/interesting-people/