Canadian Security Co's Speak Out Against Anti-circumvention Legislation

[David Farber <dave () farber net>]

------ Forwarded Message
From: Michael Geist <mgeist () pobox com>
Date: Tue, 08 Mar 2005 17:30:17 -0500
To: <dave () farber net>
Subject: Canadian Security Co's Speak Out Against Anti-circumvention
Legislation

Dave,

A substantial group of Canada's security technology companies have sent a
public letter to the Industry and Heritage Ministers to express concern
about the potential for DMCA-like legislation in Canada.  Years of
discussions and no one bothered to ask these guys what they think.

The public letter has been posted online at
<http://www.cippic.ca/en/news/documents/Letter_to_Ministers_Emerson_and_Frul
la_from_Security_Business_Community.pdf>

A release and backgrounder are at
http://www.cippic.ca/en/news/documents/Press_Release_-_Security_Businesses.p
df
http://www.cippic.ca/en/news/documents/Backgrounders_of_Participants.pdf

This might be a sign of Canada's technology community waking up to the
implications of copyright reforms that directly impact their businesses.

Best,
MG


March 8, 2005

BY COURIER

The Honourable David L. Emerson, P.C., M.P.
Minister of Industry
235, Queen Street, 11th Floor, East Tower
Ottawa, Ontario   K1A 0H5

The Honourable Liza Frulla, P.C., M.P.
Minister of Canadian Heritage and Status of Women
15 Eddy Street
Gatineau, Quebec  K1A 0M5

Dear Minister Emerson and Minister Frulla:

Re:     Proposals to include Anti-Circumvention Rights in A Bill to Amend
the Copyright Act

We write to you as leaders of Canada's security research business community.
We understand that the Canadian government in the near future will introduce
legislation to amend the Copyright Act to introduce rights to prohibit the
circumvention of technological protection measures, or "TPMs".  Any such
amendment will have profound negative consequences for security researchers
and businesses that commercialize such research.  The business community
involved with security research and related services has a great deal at
stake in this legislation, both economically and technologically.  Despite
these considerations, the government has yet to consult with us.  We urge
the government to take our concerns into account prior to implementing any
such amendment.

Legal protection for TPMs is the equivalent of making screw-drivers illegal
because they can be used to break and enter.  Good legislation targets the
illegal act, not the legal tools the crook might use.  Canada is already
well-served by laws protecting copyright.  Outlawing the technological tools
- the screw-drivers of the technology community - undermines Canada's
commitment to fostering an economy built on innovation and opportunity.

Understand that the science and business of digital security implicates the
practical application of circumvention technologies. To understand security
threats, researchers must understand security weaknesses.  We are not in the
business of circumventing technological safeguards for the purposes of
exploiting the weaknesses we find; rather, we are in the businesses of
finding and addressing those weaknesses.  In this way, our work offers
crucial support to the business interests of those who seek to protect their
copyrighted works through technology.  Indeed, technological protection
measures and digital rights management systems themselves are practical
applications of the work of this research community.

We observe that in other jurisdictions, rights holders have often sought to
enforce anti-circumvention rights for reasons other than copyright
protection.  Anti-circumvention rights have anti-competitive applications.
These have been well documented and should be familiar to you.  We won't
dwell on them here. More troubling from a public policy perspective,
however, are those attempts to assert anti-circumvention rights to silence
critical research into security holes.  Such attempts are at base motivated
by a desire to maintain control over security research in respect of
particular platforms or applications.  Centralized control over security
research does not make for good public policy. Security weaknesses are best
found - and addressed - when a variety of security researchers examine a
platform or application. The odds of one party devising the best response to
a security issue are slim; the likelihood of an optimal response improves
significantly when a community of security researchers has the opportunity
to examine and test a platform or application.  Anti-circumvention laws
throw a shroud of legal risk over that community, and dampen security
research at the edges.  Simply, anti-circumvention laws that provide for
excessive control make for bad security policy.

The American experience under the Digital Millennium Copyright Act (the
"DMCA") should be instructive in this regard. Professor Ed Felton of
Princeton University was threatened with litigation (as were conference
organizers) for attempting to present his findings on security holes in the
work of the Secure Digital Music Initiative industry working group.  Dmitri
Sklyarov, a Russian programmer, was jailed for travelling to the United
States and presenting the results of his work on a software tool that could
be used to read Adobe's "e-book" files.  American security researchers are
choosing to avoid research with DMCA implications. Global experts on
security now avoid traveling to the United States. Richard Clarke, former
White House cybersecurity and counterterrorism adviser, has observed that
the DMCA's anti-circumvention provisions have had a "chilling effect on
vulnerability research."  The DMCA has had a demonstrably negative impact on
security research in the United States.

Canada has historically been a global leader in the science of cryptography.
Canada is now turning to apply that strength to the business of digital
security.  The Canadian government should support this emerging industry,
not erect market barriers or create new risks of legal liability.  In the
late nineties, the Canadian government made online connectivity a priority
with the goal of making Canada "the most connected nation in the world".
Consistent with that goal, Canada released its Cryptography Policy in 1998,
envisioning digital security as key to "building Canada's information
economy and society", and making a commitment to fostering the development
of the digital security business sector. In 1998, the Canadian government
recognized the importance of this business sector to securing reliable
electronic commerce.  In the context of anti-circumvention laws, these
considerations have barely merited a mention.

Proponents of anti-circumvention laws protest that these laws do not target
"legitimate" security research, and that laws may be crafted with exceptions
for such research.  With respect, the DMCA carries such exceptions.  They
have proven both inadequate and ineffective in protecting security
researchers from threats of litigation.  Moreover, such exceptions offer
little security against the threat of litigation.  Rights-holders have not
hesitated to assert anti-circumvention rights against researchers to
maintain control over public dissemination of security research implicating
their applications and platforms, even where such claims have only the most
tenuous basis in fact.  Nonetheless, such threats create a "liability
chill".  Security researchers and businesses generally lack the time and
resources to defend such claims, with the result that the mere threat
achieves the claimant's objective.  The mere threat of liability for
circumvention is a mischief itself that may only be addressed by not
creating the basis for the threat in the first place.

In our view, the best policy would be to introduce no change to the law at
all.  Rights-holders are well protected by traditional rights under the
Copyright Act.  An infringement remains an infringement regardless of
whether or not a TPM is circumvented. TPMs themselves provide a second layer
of protection sufficient to deter all but the most sophisticated would-be
infringers. Legally privileging TPMs would add a third layer of protection;
however, we seriously question whether the marginal value of this legal
protection outweighs the severe impairment it causes to legitimate security
research. 

We welcome the opportunity to discuss the matters addressed in this letter
with you.  We look forward to being consulted by the government on future
developments in this area.

Yours truly,

Brian O'Higgins
Chief Technology Officer
Third Brigade, Ltd.

Brian Flood
Chief Executive Officer
VE Networks, Inc.

Bob Young,
Co-founder and Director, Red Hat, Inc.
Founder and CEO of Lulu, Inc.
Owner, Hamilton Tiger-Cats Football Team
Hugh Ellis
Chief Executive Officer
Cinnabar Networks Inc.

John Detombe
Director
AEPOS Technologies Corporation

Austin Hill
President
Synomos Inc.

John Alsop
Founder and Chairman
Borderware Technologies Inc.

Michael Kouritzin
Chief Executive Officer
Random Knowledge Inc.

Dr. Stefan Brands
President
Credentica

Carl C. Bond
President
Innusec, Inc.

Djenana Campara
Chief Technology Officer
Klocwork Inc.

Randy Sutton,
President
Elytra Enterprises Inc.

-- 
**********************************************************************
Professor Michael A. Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa Law School, Common Law Section
57 Louis Pasteur St., Ottawa, Ontario, K1N 6N5
Tel: 613-562-5800, x3319     Fax: 613-562-5124
mgeist () pobox com              http://www.michaelgeist.ca


------ End of Forwarded Message

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/