Copyright law chills IT security research

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO63180,00.html

By DAN VERTON 
August 20, 2001

A cloud of fear and uncertainty hung over the 10th annual Usenix
Security Symposium here last week, as IT researchers wondered
nervously whether they would be hauled off to jail by the FBI for
revealing security flaws in an antipiracy technology backed by the
music industry.

That didn't happen, but new charges of government censorship are being
levied by critics of a 1998 law designed to protect copyrighted
digital material, such as software, from unauthorized access and
copying (see story). If the law isn't changed, legitimate scientists
and corporate IT workers conducting research to improve computer and
network security could be sent to jail, legal experts said.

The team of IT researchers, headed by Edward Felten, a professor at
Princeton University, and flanked by lawyers from the San
Francisco-based Electronic Frontier Foundation (EFF), originally
planned to present the paper at a conference in April. But they
backpedaled after the Recording Industry Association of America (RIAA)
threatened to sue.

Felten took the RIAA to court in June, and the association eventually
retracted its legal threats and gave Felten permission to present and
publish his paper only at the Usenix symposium.

The paper, titled, "Reading Between the Lines: Lessons from the SDMI
Challenge," makes public several inherent security flaws in a
technology developed to prevent unauthorized copying of digital music
files. Felten and others conducted the research last September while
taking part in a security contest sponsored by a consortium of
recording companies known as the Secure Digital Music Initiative
(SDMI).

Despite what Felten and others called "a partial victory" for science
and the First Amendment rights of legitimate researchers, the overly
broad nature of the 1998 Digital Millennium Copyright Act (DMCA)
threatens to stifle future IT research, according to legal experts.

"The DMCA set up a system where, essentially, the government
outsourced censorship of science," said Cindy Cohn, the EFF's legal
director. The EFF is representing Felten, as well as Dmitry Sklyarov,
a Russian programmer arrested on July 16 in Las Vegas for allegedly
developing a software program that unlocks the encryption used to
protect the copyrights of electronic-book publishers.

Other scholars "have been chilled" by what happened to Felten, and
foreign cryptographers are afraid to travel to the U.S., said Cohn.

A Matter of Scope

Enacted in 1998, the DMCA broadly outlines restrictions on the
distribution or sale of any product, service or technology that
circumvents access protections to copyrighted material. Although the
law provides exemptions for law enforcement officials as well as
encryption and security researchers, legal experts said it's unclear
how far the law extends and whether corporate IT workers conducting
integration work could be caught in its web.

"There are questions about scope," said Peter Jaszi, a law professor
at American University's Washington College of Law. A lot "depends on
the actual consent" of the owner or copyright holder of the software,
said Jaszi. In the case of encryption research, "a good-faith attempt"
to gain such consent is necessary, he said.

But not everyone agrees that the DMCA is a bad thing. Industry
representatives, as well as authors and other content providers, have
vehemently argued that the DMCA protects their right to earn a living
by discouraging dishonest people from violating copyright protections.

The DMCA is "a well-balanced piece of legislation that took into
account every group's interests," said Keith Kupferschmid,
intellectual property counsel for the Software & Information Industry
Association in Washington.

In the Sklyarov case, for example, the Russian programmer engaged in
the trafficking of software that circumvented technological protection
measures, Kupferschmid said. Sklyarov, an employee at Moscow-based
ElcomSoft Co., allegedly tried to sell copies of the circumvention
software at the Def Con conference in Las Vegas.

Dan Langin, an attorney who specializes in computer security and
represents companies such as Redwood City, Calif.-based Recourse
Technologies Inc., said the fair-use clause of the DMCA excludes
reverse-engineering for the purposes of doing integration work and
legitimate research. In that respect, "IT workers have pretty solid
ground to stand on," he said. Nonetheless, Langin added that a written
agreement with software companies for access to code beyond the normal
application programming interface is a critical protection.

For Felten and other researchers, however, the uncertainty of how far
the law extends is cause enough to stifle legitimate research that can
have positive effects beyond computer security.

"The DMCA seems to cast a very wide net and will catch a lot of things
besides computer security," said Felten. For example, the
echo-detection methods used by Felten's research team to break the
security of music CDs is a breakthrough technology that can be used by
seismologists, he said.

"People don't know what they can say and what they can write," said
Felten. "The scientific community can't operate that way."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.