Information Security News mailing list archives

Dutch Cryptographer Cries Foul


From: InfoSec News <isn () c4i org>
Date: Thu, 16 Aug 2001 01:00:53 -0500 (CDT)

http://www.wired.com/news/politics/0,1283,46091,00.html

By Steve Kettmann 
10:40 a.m. Aug. 15, 2001 PDT  

BERLIN -- A Dutch cryptography expert blasted as "horrific" the
ambiguous legal reach of the U.S. Digital Millennium Copyright Act,
which he feels bars him from publishing his work, even in the
Netherlands.

Niels Ferguson revealed last weekend at the Hackers at Large
conference in Enschede, Netherlands that he had found a way around
Intel Corporation's High-bandwidth Digital Content Protection (HDCP)
for digital video.

But he said he would not be publishing his findings out of fear of the
legal ramifications, and on Wednesday he vowed to campaign against
what he feels is the inappropriate scope of the DMCA.

"I've written a paper on this, containing all this information, and I
decided not to publish it for fear of liability and fear of
prosecution under the U.S. Digital Millennium Copyright Act," he said.

"How can I know which laws are applying to me? The principle of
applying national laws to international jurisdictions is horrific.
I've had to censor myself, because the risk is too big, but I'm not
doing it quietly."

In fact, Ferguson will visit the United States starting Friday for a
conference on cryptography, Crypto 2001, in Santa Barbara, California,
and plans to continue speaking out against the DMCA.

He will not be presenting a paper at the conference, but on Tuesday
night there is a session intended for just such "late-breaking news"
as what Ferguson has to share, said event organizer Joe Kilian, a
cryptographer with Yianilos Labs in Princeton, New Jersey. The DMCA is
sure to be a major topic of conversation in Santa Barbara, he added.

"The potential for abuse is tremendous," said Kilian. "Those of us who
work in digital rights management have to have a realistic perspective
on what we hope to achieve. The analogy I give is: Encryption is like
a brick wall. You can encrypt a file and people will have a hard time
breaking that encryption without a key. But if you're trying to
protect music or a video, all you can really do is erect speed bumps.
The Digital Millennium Copyright Act basically says let's make
everyone pretend that our digital rights management systems are
stronger than they really are."

The legal reach of the act remains unclear, and Ferguson is still
exploring his legal situation.

"I've talked with a lawyer from the Electronic Frontier Foundation,
and today I've just spoken to another lawyer in California working on
this area," Ferguson said.

"Even publishing this stuff in the Netherlands would open me up to
civil and criminal liability," he said. "The law is very vague. In my
opinion, it is so obviously violating the First Amendment. And yet all
these lawyers are threatening lawsuits over it."

Ferguson stressed that Intel has in no way threatened him. But he
worries that if he did publish, and Intel did take legal action, other
lawsuits may follow -- including, perhaps, one initiated by the Motion
Picture Association of America.

He has closely followed the case of Princeton University professor
Edward Felten, who was able to disable the anti-piracy technology used
by the music industry.

Felten decided against explaining his findings at a Pittsburgh
conference last spring after what he described as legal threats from a
lawyer representing the Recording Industry Association of America.
Later, the RIAA said it had no intention to sue Felten or his
associates, clearing the way for him to share his research.

"He's in many ways in a similar situation," Ferguson said Wednesday of
Felten. "But he was actually threatened. I want to make it quite
clear, Intel has never threatened me. I have no reason to believe
Intel will be as bad as RIAA."

The official Intel line follows, as explained by company spokesman
Daven Oswalt: "We have no problem with Mr. Ferguson presenting his
research. The information that he's saying, it's certainly his right
to say it."

However, when it comes to the DMCA itself, Intel's position appears a
bit harder. Continues Oswalt: "Even if Intel entered into an agreement
(not to sue), we'd have no control of what other government
authorities would decide. It's hard for us to tell what the legal
ramifications (were of publishing)."

As Robin Gross, the EFF intellectual property lawyer with whom
Ferguson has consulted, put it early this week in a statement: "The
recording industry has done untold damage by their threats to Felten
and the other researchers, their universities, and the conference
organizers. The resulting chilling effect on the broader scientific
community continues unabated."

For Ferguson, then, the enemy is not Intel, but a vague legal act that
disrupts the free flow of information worldwide.

As Ferguson explained Wednesday in a new posting at his website, he
was left little choice but to "censor" himself, even though sharing
information is an essential part of his work as a professional
cryptographer.

"Computer security and cryptography are hard," he said. "It is easy to
make mistakes, and one mistake is all it takes to create a weakness.
We share our knowledge with others, so that they don't have to repeat
the same mistake."

He goes on to explain that HDCP is "fatally flawed. Once you know the
master key, you can decrypt any movie, impersonate any HDCP device,
and even create new HDCP devices that will work with the 'official'
ones. This is really, really bad news for a security system. If this
master key is ever published, HDCP will provide no protection
whatsoever. The flaws in HDCP are not hard to find. As I like to say:
I was just reading it and it broke.'"

But he is not about to give up traveling to the United States,
something he might have to do if he published his work and legal
action was taken against him. Instead, he will speak out against what
he believes is an injustice, joining Felten and Russian programmer
Dmitry Sklyarov as high-profile foes of the DMCA.

"He is charged with violating the DMCA while performing his work in
Russia as an employee for a Russian firm," Ferguson writes of
Sklyarov. "As far as we know, what he did was perfectly legal in
Russia, and in most other countries in the world."

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.


Current thread: