Security research exemption to DMCA considered

[InfoSec News <isn () c4i org>]

http://www.securityfocus.com/news/4729

By Kevin Poulsen
SecurityFocus 
May 13 2003 

Computer security researchers would be allowed to hack through copy
protection schemes in order to look for security holes in the software
being protected, under a proposed exception to the Digital Millennium
Copyright Act (DMCA) being debated in official hearings this week.

Enacted as an anti-piracy measure in 1998, after fierce lobbying from
the motion picture and recording industries, the DMCA's
anti-circumvention provision generally makes it unlawful for anyone to
"circumvent a technological measure that effectively controls access"  
to DVD movies, digital music, electronic books, computer programs, or
any other copyrighted work. To do so for commercial advantage or
personal profit is a felony carrying up to five years in prison.

But Congress built a safety-valve of sorts into the law, giving the
U.S. Copyright Office - part of the Library of Congress - the power to
create exceptions to the DMCA to protect legitimate, non-infringing
uses of copyrighted material. In October, 2000, when the law took full
force, the office carved out two narrow exemptions: one allowing
researchers to crack so-called "censorware" applications to learn what
websites they block, and a second exemption for old computer programs
and databases rendered unusable by a defective or obsolete access
control mechanism.

To that list, the Association for Computing Machinery (ACM) would like
to add an exemption permitting white hat hackers to crack copy
protection schemes "that fail to permit access to recognize
shortcomings in security systems, to defend patents and copyrights, to
discover and fix dangerous bugs in code, or to conduct forms of
desired educational activities."

"I'm going to argue that the [current] exemptions aren't sufficient,
because we're having security people threatened," says ACM's Barbara
Simons.

In 2000, a recording industry standards group used the threat of a
DMCA lawsuit to block Princeton University professor Ed Felten from
publishing a paper on weaknesses in a digital audio watermarking
scheme. The group quickly retracted that threat, and similar cases are
rare, but Simons says the DMCA still casts a shadow over the academic
security community in a more subtle form, discernable in outline.  
"It's much harder to document what doesn't get written, what doesn't
get published," says Simons. "But it's had a very chilling effect,".

The current exemptions expire in October of this year, unless the
Copyright Office chooses to reestablish them. The office took
testimony on that question, and on proposals for additional
exemptions, earlier this month in Washington D.C., and will hold a
final round of public hearings in Los Angeles on Wednesday and
Thursday of this week.

Simons, who's testifying Wednesday, indicated she'll argue the
computer security exemption as a homeland security issue: independent
software security research is more important than ever, she says. "The
bad guys aren't going to publish the results, they're just going to
exploit them... We should be eliminating the laws that encourage
insecurity."
  
<tips () securityfocus com>

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.