http://www.wired.com/news/politics/0,1283,46091,00.html By Steve Kettmann 10:40 a.m. Aug. 15, 2001 PDT BERLIN -- A Dutch cryptography expert blasted as "horrific" the ambiguous legal reach of the U.S. Digital Millennium Copyright Act, which he feels bars him from publishing his work, even in the Netherlands. Niels Ferguson revealed last weekend at the Hackers at Large conference in Enschede, Netherlands that he had found a way around Intel Corporation's High-bandwidth Digital Content Protection (HDCP) for digital video. But he said he would not be publishing his findings out of fear of the legal ramifications, and on Wednesday he vowed to campaign against what he feels is the inappropriate scope of the DMCA. "I've written a paper on this, containing all this information, and I decided not to publish it for fear of liability and fear of prosecution under the U.S. Digital Millennium Copyright Act," he said. "How can I know which laws are applying to me? The principle of applying national laws to international jurisdictions is horrific. I've had to censor myself, because the risk is too big, but I'm not doing it quietly." In fact, Ferguson will visit the United States starting Friday for a conference on cryptography, Crypto 2001, in Santa Barbara, California, and plans to continue speaking out against the DMCA. He will not be presenting a paper at the conference, but on Tuesday night there is a session intended for just such "late-breaking news" as what Ferguson has to share, said event organizer Joe Kilian, a cryptographer with Yianilos Labs in Princeton, New Jersey. The DMCA is sure to be a major topic of conversation in Santa Barbara, he added. "The potential for abuse is tremendous," said Kilian. "Those of us who work in digital rights management have to have a realistic perspective on what we hope to achieve. The analogy I give is: Encryption is like a brick wall. You can encrypt a file and people will have a hard time breaking that encryption without a key. But if you're trying to protect music or a video, all you can really do is erect speed bumps. The Digital Millennium Copyright Act basically says let's make everyone pretend that our digital rights management systems are stronger than they really are." The legal reach of the act remains unclear, and Ferguson is still exploring his legal situation. "I've talked with a lawyer from the Electronic Frontier Foundation, and today I've just spoken to another lawyer in California working on this area," Ferguson said. "Even publishing this stuff in the Netherlands would open me up to civil and criminal liability," he said. "The law is very vague. In my opinion, it is so obviously violating the First Amendment. And yet all these lawyers are threatening lawsuits over it." Ferguson stressed that Intel has in no way threatened him. But he worries that if he did publish, and Intel did take legal action, other lawsuits may follow -- including, perhaps, one initiated by the Motion Picture Association of America. He has closely followed the case of Princeton University professor Edward Felten, who was able to disable the anti-piracy technology used by the music industry. Felten decided against explaining his findings at a Pittsburgh conference last spring after what he described as legal threats from a lawyer representing the Recording Industry Association of America. Later, the RIAA said it had no intention to sue Felten or his associates, clearing the way for him to share his research. "He's in many ways in a similar situation," Ferguson said Wednesday of Felten. "But he was actually threatened. I want to make it quite clear, Intel has never threatened me. I have no reason to believe Intel will be as bad as RIAA." The official Intel line follows, as explained by company spokesman Daven Oswalt: "We have no problem with Mr. Ferguson presenting his research. The information that he's saying, it's certainly his right to say it." However, when it comes to the DMCA itself, Intel's position appears a bit harder. Continues Oswalt: "Even if Intel entered into an agreement (not to sue), we'd have no control of what other government authorities would decide. It's hard for us to tell what the legal ramifications (were of publishing)." As Robin Gross, the EFF intellectual property lawyer with whom Ferguson has consulted, put it early this week in a statement: "The recording industry has done untold damage by their threats to Felten and the other researchers, their universities, and the conference organizers. The resulting chilling effect on the broader scientific community continues unabated." For Ferguson, then, the enemy is not Intel, but a vague legal act that disrupts the free flow of information worldwide. As Ferguson explained Wednesday in a new posting at his website, he was left little choice but to "censor" himself, even though sharing information is an essential part of his work as a professional cryptographer. "Computer security and cryptography are hard," he said. "It is easy to make mistakes, and one mistake is all it takes to create a weakness. We share our knowledge with others, so that they don't have to repeat the same mistake." He goes on to explain that HDCP is "fatally flawed. Once you know the master key, you can decrypt any movie, impersonate any HDCP device, and even create new HDCP devices that will work with the 'official' ones. This is really, really bad news for a security system. If this master key is ever published, HDCP will provide no protection whatsoever. The flaws in HDCP are not hard to find. As I like to say: I was just reading it and it broke.'" But he is not about to give up traveling to the United States, something he might have to do if he published his work and legal action was taken against him. Instead, he will speak out against what he believes is an injustice, joining Felten and Russian programmer Dmitry Sklyarov as high-profile foes of the DMCA. "He is charged with violating the DMCA while performing his work in Russia as an employee for a Russian firm," Ferguson writes of Sklyarov. "As far as we know, what he did was perfectly legal in Russia, and in most other countries in the world." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 01:03:53 PDT