Politech mailing list archives
FC: More on DMCA restricting forensics tools and crypto research
From: Declan McCullagh <declan () well com>
Date: Sun, 26 Aug 2001 11:21:46 -0400
There seem to be two important questions here:1. Do the DMCA's civil or criminal sections apply to developing and selling police forensics tools to the general public? Does the law enforcement exception in the DMCA stretch to make such behavior lawful -- if you sell only to law enforcement? 2. Do the DMCA's civil or criminal sections make publishing an academic paper or news article about how-to-circumvent-copy-protection illegal? What if source code is included?
I think the answer to question #2 is easier: No, at least if source code is not included, no matter what the RIAA/SDMI may say. Question #1 seems a bit more tricky.
Below are responses from:* Lee Hollaar, who was a fellow with the Senate Judiciary committee and worked on the DMCA. Lee is a computer science prof at the University of Utah and has been the chair of IEEE-USA's Intellectual Property committee. * Harvey Silverglate of Silverglate and Good in Boston, who successfully defended the first criminal not-for-profit copyright infringement case
* R. Polk Wagner at the University of Pennsylvania's law school * Peter Wayner, author of Disappearing Cryptography * Fred Cohen, whose article to RISKS started this thread* David Wagner in the computer science departent at the University of California at Berkeley
* and others Previous article: http://www.politechbot.com/p-02432.html DMCA article archive: http://www.politechbot.com/p-02432.html -Declan ********* Date: Sat, 25 Aug 2001 17:40:09 -0600 From: "Lee Hollaar" <hollaar () cs utah edu> To: declan () well com Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis research? In-Reply-To: <5.0.2.1.0.20010825181724.02134940 () mail well com> At 04:41 PM 8/25/2001, you wrote:
Because the primary purpose of most of my forensic analysis tools is to reveal things that are protected from revelation, and because the DMCA makes it illegal to distribute such a device, I have been forced (based on the recent arrests and other threats against authors of such things) to withdraw my forensic products from the market. I should note that companies like Access Data who sell products that are explicitly designed for undoing encryption, etc. are almost certainly in violation of the DMCA. While the FBI might not arrest them now because they sell to the FBI (and other in law enforcement - as did I), this does not mean that the FBI cannot arrest them at any time and charge them with a felony. Indeed, sale to law enforcement is not legal, even though law enforcement can, on its own, build and use such tools.
Take a look at 17 USC 1201(e) --
Law Enforcement, Intelligence, and Other Government Activities.-
This section [the anticircumvention provision, section 1201] does not
prohibit any lawfully authorized investigative, protective, information
security, or intelligence activity of an officer, agent, or employee of
the United States, a State, or a political subdivision of a State, or a
person acting pursuant to a contract with the United States, a State,
or a political subdivision of a State. For purposes of this subsection,
the term "information security" means activities carried out in order
to identify and address the vulnerabilities of a government computer,
computer system, or computer network.
Of course, selling something to law enforcement would be "acting pursuant
to a contract" for that sale.
*********
From: "Harvey Silverglate" <has () world std com>
To: <declan () well com>
Subject: RE: DMCA restricts police forensics tools, cryptanalysis research?
Date: Sun, 26 Aug 2001 00:59:56 -0400
Declan
I think you're right, but this law is a little tricky, and there's an
atmosphere afoot that is not healthy for free speech or publicizing one's
research. On the other hand, if there's going to be a test case of DMCA, one
hopes that the fact setting will be conducive to a conclusion that the
defendant was indeed discussing his research, rather than using the First
Amendment as a cover for cracking. The ACLU has always been good, for
example, at picking test cases where the facts made it more likely that we'd
make good law.
Harvey
*********
Date: Sun, 26 Aug 2001 00:02:04 -0400
Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
research?
From: "R. Polk Wagner" <polk () law upenn edu>
To: <declan () well com>
On 8/25/01 6:41 PM, "Declan McCullagh" <declan () well com> wrote:
> The below message is from today's RISKS Digest
> (http://www.csl.sri.com/users/risko/risksinfo.html).
>
> The DMCA (sec. 1201) says in part "no person shall manufacture, import,
> offer to the public, provide, or otherwise traffic" in anything that "is
> primarily designed or produced for the purpose of circumventing a
> technological measure that effectively controls access to a work protected
> under this title." Anyone care to speculate about whether that applies to
> Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)
>
The DMCA has a specific exception for encryption research activities, 17 USC
1201(g), as well as law enforcement activities, 17 USC 1021(e). As far as I
know, the true scope of those exceptions haven't yet been tested.
> While the DMCA may well be an awful law, one thing I've never understood is
> why many folks seem to think it bans publishing your research into security
> flaws and so on. The RIAA/SDMI threats against Ed Felten & co were
> spurious. There are two prongs to the DMCA: Don't bypass copy protection
> schemes, and don't sell stuff that automates that process. Nowhere does the
> law say "don't tell others what you learned." Even if circumventing (for
> profit) is a felony, telling people how they could theoretically break the
> law is generally legal, right?
> (http://www.loompanics.com/Articles/HitManLawsuit.htm)
>
(1) Telling others in some detail might be within the meaning of "provide"
in these circumstances.
(2) One could also make the claim that one commits contributory infringement
by telling someone else how to circumvent.
I think both of these arguments are really weak, but at least some folks on
both sides of the debate seem to buy them. I suppose there will be some
fear until a court officially shoots the theories down.
--
=====================================
R. Polk Wagner
University of Pennsylvania Law School
3400 Chestnut Street
Philadelphia, Pennsylvania 19104
http://www.law.upenn.edu/polk/
=====================================
*********
Date: Sat, 25 Aug 2001 19:23:16 -0400
To: declan () well com
From: Peter Wayner <pcw2 () flyzone com>
Subject: Re: FC: DMCA restricts police forensics tools,
cryptanalysis research?
While the DMCA may well be an awful law, one thing I've never understood is why many folks seem to think it bans publishing your research into security flaws and so on. The RIAA/SDMI threats against Ed Felten & co were spurious. There are two prongs to the DMCA: Don't bypass copy protection schemes, and don't sell stuff that automates that process. Nowhere does the law say "don't tell others what you learned." Even if circumventing (for profit) is a felony, telling people how they could theoretically break the law is generally legal, right? (http://www.loompanics.com/Articles/HitManLawsuit.htm)
I believe that it becomes a bit more of a problem when you actually circulate source code. Yes, this is human readable and definitely a means of expressing your opinion to a larger group. But it's also a mechanism that will turn into software after being passed through a compiler. So is it software or speech?
-Peter ********* Subject: Re: DMCA restricts police forensics tools, cryptanalysis research? To: declan () well com (Declan McCullagh) Date: Sat, 25 Aug 2001 16:12:15 -0700 (PDT) Cc: politech () politechbot comIn-Reply-To: <5.0.2.1.0.20010825181724.02134940 () mail well com> from "Declan McCullagh" at Aug 25, 2001 06:41:56 PM
From: Fred Cohen <fc () all net> Per the message sent by Declan McCullagh: > The below message is from today's RISKS Digest > (http://www.csl.sri.com/users/risko/risksinfo.html). > The DMCA (sec. 1201) says in part "no person shall manufacture, import, > offer to the public, provide, or otherwise traffic" in anything that "is > primarily designed or produced for the purpose of circumventing a > technological measure that effectively controls access to a work protected > under this title." Anyone care to speculate about whether that applies to > Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:) I believe it is quite clear that a product such as mine that is intended to bypass effective controls over access to copyrighted works (which is anything put into tangible form unless specifically not copyrighted) violates this law. > While the DMCA may well be an awful law, one thing I've never understood is > why many folks seem to think it bans publishing your research into security > flaws and so on. It does not prohibit research, only manufacture, import, offer to the public, provide, or otherwise traffic ... the obvious problem being that research without publication is not useful if we are to make scientific progress. > The RIAA/SDMI threats against Ed Felten & co were spurious. They were not. They had a chilling effect on him and on the rest of us doing research into such things. Could they have been enforced? We may never know. They are being used rather brutally against a Russian gentleman - one of the motivating factors in my decision for certain. > There are two prongs to the DMCA: Don't bypass copy protection > schemes, and don't sell stuff that automates that process. Nowhere does the > law say "don't tell others what you learned." It says that trafficing in information that leads to defeating proteciton is covered. > Even if circumventing (for > profit) is a felony, telling people how they could theoretically break the > law is generally legal, right? Theory is one thing - practical information is another. But I wouldn't be too sure, and I am not all that certain - hence I am taking the prudent route. > (http://www.loompanics.com/Articles/HitManLawsuit.htm) > -Declan FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc () all net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ********* From: David Wagner <daw () cs berkeley edu> Subject: FC: DMCA restricts police forensics tools, cryptanalysis research? To: declan () well com Date: Sat, 25 Aug 2001 16:12:16 -0700 (PDT) In article <5.0.2.1.0.20010825181724.02134940 () mail well com> you write: >While the DMCA may well be an awful law, one thing I've never understood is >why many folks seem to think it bans publishing your research into security >flaws and so on. Ahh, how I wish it were as clearcut as you suggest. It's the "or component thereof" language (see the statute) which I'm told could be interpreted to include a paper that describes the algorithm for breaking a system, for instance. I've gotten the sense that this is not the most likely outcome, but even if there is only a 10% chance that some judge will interpret the statute in this way, that's more than enough for significant amounts of research to be chilled. You could say that the fear is due to uncertainty about how the DMCA will be interpreted as much as anything else. The problem is that noone can promise us "there's no risk that your paper could be construed as a violation of the DMCA", and as long as this persists, one can only expect that people will be cautious. -- David ********* From: "Charles L. Jackson" <chuck () jacksons net> To: <declan () well com> Subject: RE: DMCA restricts police forensics tools, cryptanalysis research? Date: Sat, 25 Aug 2001 19:46:57 -0400 In-Reply-To: <5.0.2.1.0.20010825181724.02134940 () mail well com> Re: Law enforcement. The DCMA says: (e)LAW ENFORCEMENT,INTELLIGENCE,AND OTHER GOVERNMENT A CTIVITIES.-This section does not prohibit any lawfully authorized investigative,protective,information security,or intelligence activity of an officer,agent,or employee of the United States, a State,or a political subdivision of a State,or a person acting pursuant to a contract with the United States,a State,or a political subdivision of a State.For purposes of this subsection,the term "information security "means activities carried out in order to identify and address the vulnerabilities of a government computer,computer system, or computer network. Section (g)(2) of the DCMA describes "Permissible Acts of Encryption Research." (That phrase seems to indicate that there are impremissible acts of encryption research). One of the factors determining whether research is permissible is where the research is published. Specifically, the law states "In determining whether a person quali- fies for the exemption under paragraph (2),the factors to be considered shall include - (A)whether the information derived from the encryption research was disseminated,and if so,whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology,versus whether it was disseminated in a manner that facilitates infringement under this title" For a lighter discussion of this last point see http://www.zdnet.com/zdnn/stories/comment/0,5859,2807159,00.html Chuck Jackson ********* From: "Timothy McGhee" <mcghee () bigfoot com> To: <declan () well com> References: <5.0.2.1.0.20010825181724.02134940 () mail well com> Subject: Re: DMCA restricts police forensics tools, cryptanalysis research? Date: Sat, 25 Aug 2001 20:07:27 -0400 > While the DMCA may well be an awful law, one thing I've never understood is > why many folks seem to think it bans publishing your research into security > flaws Two reasons for you: Reason #1: http://www.politechbot.com/p-02270.html This would be the second known prosecution under the criminal sections of the controversial Digital Millennium Copyright Act, (DMCA) which took effect last year and makes it a crime to "manufacture" products that circumvent copy protection safeguards. Doesn't "publishing your research" = "manufacturing" in the knowledge industry? If not, what's the difference? Maybe the target audience is different (academic vs. commercial), but the DMCA doesn't seem to care. Here's another example, and this doesn't even involve mass distribution (which might, perhaps, be implied when referring to "manufacturing"), but could be invoking the DMCA because of "trafficking." Reason #2: http://www.politechbot.com/p-02412.html an Oklahoma man . accidentally discovered that his local newpaper's web server permitted anyone at all to edit its content using the Front Page client without authentication. Like any good samaritan might, he alerted the newspaper's editor of the problem. Now, sixteen months later and under threat of prosecution, the U.S. Attorney's office is attempting to coerce him to accept a plea to a felony conviction and five years probation. Here a man wasn't even "publishing" the information or mass distributing it in any way; he was just giving it to the person who could solve the problem. Nonetheless, he has been absolutely drilled by the feds for doing what many of us would have done in the same situation--until now. Even if it's not the DMCA that the feds use, they're finding ways to treat publishing security flaw research as criminal activity. The DMCA is the most prominently bad law when it comes to free speech and coding issues; perhaps it's simply being used as an umbrella scapegoat for all of the problems in the United States Code when it comes to the First Amendment as it relates to programming. These stories have made me hesitant to use a script that seems like it would be effective in dealing with the Code Red problem. Let me explain. Collectively, Code Reds I and II have hit the server I administer over 1300 times so far this month. There's a perl script called Code Red Strikeback that would return a request to that server to shut it down. (The script claims it only works on Code Red II infected machines.) Basically, it would help slow Code Red down and encourage people to patch their servers. It doesn't do anything malicious, but technically it does penetrate the system, and that would be illegal. According to the DMCA, I don't think it's legal to send you the script or use it, as either could be construed as trafficking in circumvention technology. Is it even legal to say such a thing exists? The recent string of prosecutions hardly seems "spurious." I'm guessing most of us don't think it should be illegal, but we'd also rather not risk the five years probation or ten years in prison. From Bush all the way down, this government seems to considers hacking of any kind (including accidental) to be equal to terrorism. (Just listen to the rhetoric when a DDOS attack hits the news.) I can only guess at from where this comes. Perhaps, hacking could be used to orchestrate terrorist activities, or manipulate systems that could have terrorist effects. But hacking itself is no more terroristic than simply building a bomb, and certainly not terroristic if you're just telling people how to do it. (Aren't there bomb-making guides on the Internet? Are those illegal?) I don't know what the law says about using explosives on your farm if you want to take out a tree, but I don't think it's equal to terrorism. I'm not sure if saying Code Red Strikeback exists, is legal. I'm fairly certain that no one is going to die or be injured because I said that, which means that should not be considered terrorism. So, I'm willing to take my chances. If even saying that is not legal, then it's time for politechnicals to become a lot more politically active. Tim ********* Date: Sun, 26 Aug 2001 14:40:43 +0100 From: David Cantrell <david () cantrell org uk> To: Declan McCullagh <declan () well com> Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis research? In-Reply-To: <5.0.2.1.0.20010825181724.02134940 () mail well com>; from On Sat, Aug 25, 2001 at 06:41:56PM -0400, Declan McCullagh wrote: > While the DMCA may well be an awful law, one thing I've never understood is > why many folks seem to think it bans publishing your research into security > flaws and so on. I haven't read the law, but consider that most people can't afford to defend themselves in court, and so the very threat of prosecution - regardless of what the law actually says - is enough to prevent publishing. -- David Cantrell | david () cantrell org uk | http://www.cantrell.org.uk/david Educating this luser would be something to frustrate even the unflappable Yoda and make him jam a lightsaber up his arse while screaming "praise evil, the Dark Side is your friend!". -- Derek Balling, in the Monastery ********* ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: More on DMCA restricting forensics tools and crypto research Declan McCullagh (Aug 26)