Canadian security firms express concern about DMCA being exported up north [ip]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject:        Canadian Security Co's Speak Out Against Anti-circumvention
Legislation
Date:   Tue, 8 Mar 2005 17:31:10 -0500
From:   Michael Geist <mgeist () pobox com>
To:     declan () well com


Declan,

A substantial group of Canada's security technology companies have sent
a public letter to the Industry and Heritage Ministers to express
concern about the potential for DMCA-like legislation in Canada.  Years
of discussions and no one bothered to ask these guys what they think.

The public letter has been posted online at
<http://www.cippic.ca/en/news/documents/Letter_to_Ministers_Emerson_and_Frulla_from_Security_Business_Community.pdf>

A release and backgrounder are at
http://www.cippic.ca/en/news/documents/Press_Release_-_Security_Businesses.pdf
http://www.cippic.ca/en/news/documents/Backgrounders_of_Participants.pdf

This might be a sign of Canada's technology community waking up to the
implications of copyright reforms that directly impact their businesses.

Best,
MG


March 8, 2005

/BY COURIER

/The Honourable David L. Emerson, P.C., M.P.
Minister of Industry
235, Queen Street, 11th Floor, East Tower
Ottawa, Ontario   K1A 0H5

The Honourable Liza Frulla, P.C., M.P.
Minister of Canadian Heritage and Status of Women
15 Eddy Street
Gatineau, Quebec  K1A 0M5

Dear Minister Emerson and Minister Frulla:

_*Re:     Proposals to include Anti-Circumvention Rights in A Bill to
Amend the/ Copyright Act/

*_We write to you as leaders of Canada's security research business
community.  We understand that the Canadian government in the near
future will introduce legislation to amend the/ Copyright Act/ to
introduce rights to prohibit the circumvention of technological
protection measures, or "TPMs".  Any such amendment will have profound
negative consequences for security researchers and businesses that
commercialize such research.  The business community involved with
security research and related services has a great deal at stake in this
legislation, both economically and technologically.  Despite these
considerations, the government has yet to consult with us.  We urge the
government to take our concerns into account prior to implementing any
such amendment.

Legal protection for TPMs is the equivalent of making screw-drivers
illegal because they can be used to break and enter.  Good legislation
targets the/ illegal act/, not the/ legal tools/ the crook might use.
Canada is already well-served by laws protecting copyright.  Outlawing
the technological tools - the screw-drivers of the technology community
- undermines Canada's commitment to fostering an economy built on
innovation and opportunity.

Understand that the science and business of digital security implicates
the practical application of circumvention technologies.  To understand
security threats, researchers must understand security weaknesses.  We
are not in the business of circumventing technological safeguards for
the purposes of exploiting the weaknesses we find; rather, we are in the
businesses of finding and addressing those weaknesses.  In this way, our
work offers crucial support to the business interests of those who seek
to protect their copyrighted works through technology.  Indeed,
technological protection measures and digital rights management systems
themselves are practical applications of the work of this research
community.

We observe that in other jurisdictions, rights holders have often sought
to enforce anti-circumvention rights for reasons other than copyright
protection.  Anti-circumvention rights have anti-competitive
applications. These have been well documented and should be familiar to
you.  We won't dwell on them here.  More troubling from a public policy
perspective, however, are those attempts to assert anti-circumvention
rights to silence critical research into security holes.  Such attempts
are at base motivated by a desire to maintain control over security
research in respect of particular platforms or applications.
Centralized control over security research does not make for good public
policy.  Security weaknesses are best found - and addressed - when a
variety of security researchers examine a platform or application.  The
odds of one party devising the best response to a security issue are
slim; the likelihood of an optimal response improves significantly when
a community of security researchers has the opportunity to examine and
test a platform or application.  Anti-circumvention laws throw a shroud
of legal risk over that community, and dampen security research at the
edges.  Simply, anti-circumvention laws that provide for excessive
control make for bad security policy.

The American experience under the/ Digital Millennium Copyright Act/
(the "DMCA") should be instructive in this regard.  Professor Ed Felton
of Princeton University was threatened with litigation (as were
conference organizers) for attempting to present his findings on
security holes in the work of the Secure Digital Music Initiative
industry working group.  Dmitri Sklyarov, a Russian programmer, was
jailed for travelling to the United States and presenting the results of
his work on a software tool that could be used to read Adobe's "e-book"
files.  American security researchers are choosing to avoid research
with DMCA implications.  Global experts on security now avoid traveling
to the United States.  Richard Clarke, former White House cybersecurity
and counterterrorism adviser, has observed that the DMCA's
anti-circumvention provisions have had a "chilling effect on
vulnerability research."  The DMCA has had a demonstrably negative
impact on security research in the United States.

Canada has historically been a global leader in the science of
cryptography.  Canada is now turning to apply that strength to the
business of digital security.  The Canadian government should support
this emerging industry, not erect market barriers or create new risks of
legal liability.  In the late nineties, the Canadian government made
online connectivity a priority with the goal of making Canada "the most
connected nation in the world".  Consistent with that goal, Canada
released its Cryptography Policy in 1998, envisioning digital security
as key to "building Canada's information economy and society", and
making a commitment to fostering the development of the digital security
business sector.  In 1998, the Canadian government recognized the
importance of this business sector to securing reliable electronic
commerce.  In the context of anti-circumvention laws, these
considerations have barely merited a mention.

Proponents of anti-circumvention laws protest that these laws do not
target "legitimate" security research, and that laws may be crafted with
exceptions for such research.  With respect, the DMCA carries such
exceptions.  They have proven both inadequate and ineffective in
protecting security researchers from threats of litigation.  Moreover,
such exceptions offer little security against the/ threat/ of
litigation.  Rights-holders have not hesitated to assert
anti-circumvention rights against researchers to maintain control over
public dissemination of security research implicating their applications
and platforms, even where such claims have only the most tenuous basis
in fact.  Nonetheless, such threats create a "liability chill".
Security researchers and businesses generally lack the time and
resources to defend such claims, with the result that the mere threat
achieves the claimant's objective.  The mere threat of liability for
circumvention is a mischief itself that may only be addressed by not
creating the basis for the threat in the first place.

In our view, the best policy would be to introduce no change to the law
at all.  Rights-holders are well protected by traditional rights under
the/ Copyright Act/.  An infringement remains an infringement regardless
of whether or not a TPM is circumvented.  TPMs themselves provide a
second layer of protection sufficient to deter all but the most
sophisticated would-be infringers.  Legally privileging TPMs would add a
third layer of protection; however, we seriously question whether the
marginal value of this legal protection outweighs the severe impairment
it causes to legitimate security research.

We welcome the opportunity to discuss the matters addressed in this
letter with you.  We look forward to being consulted by the government
on future developments in this area.

Yours truly,

Brian O'Higgins
Chief Technology Officer
Third Brigade, Ltd.

Brian Flood
Chief Executive Officer
VE Networks, Inc.

Bob Young,
Co-founder and Director, Red Hat, Inc.
Founder and CEO of Lulu, Inc.
Owner, Hamilton Tiger-Cats Football Team
Hugh Ellis
Chief Executive Officer
Cinnabar Networks Inc.

John Detombe
Director
AEPOS Technologies Corporation

Austin Hill
President
Synomos Inc.

John Alsop
Founder and Chairman
Borderware Technologies Inc.

Michael Kouritzin
Chief Executive Officer
Random Knowledge Inc.

Dr. Stefan Brands
President
Credentica

Carl C. Bond
President
Innusec, Inc.

Djenana Campara
Chief Technology Officer
Klocwork Inc.

Randy Sutton,
President
Elytra Enterprises Inc.

--

**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist () pobox com              http://www.michaelgeist.ca
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)