[ISN] Copyright law chills IT security research

From: InfoSec News (isnat_private)
Date: Tue Aug 21 2001 - 01:04:48 PDT

  • Next message: InfoSec News: "[ISN] Wireless Networks in Big Trouble"

    August 20, 2001
    A cloud of fear and uncertainty hung over the 10th annual Usenix
    Security Symposium here last week, as IT researchers wondered
    nervously whether they would be hauled off to jail by the FBI for
    revealing security flaws in an antipiracy technology backed by the
    music industry.
    That didn't happen, but new charges of government censorship are being
    levied by critics of a 1998 law designed to protect copyrighted
    digital material, such as software, from unauthorized access and
    copying (see story). If the law isn't changed, legitimate scientists
    and corporate IT workers conducting research to improve computer and
    network security could be sent to jail, legal experts said.
    The team of IT researchers, headed by Edward Felten, a professor at
    Princeton University, and flanked by lawyers from the San
    Francisco-based Electronic Frontier Foundation (EFF), originally
    planned to present the paper at a conference in April. But they
    backpedaled after the Recording Industry Association of America (RIAA)
    threatened to sue.
    Felten took the RIAA to court in June, and the association eventually
    retracted its legal threats and gave Felten permission to present and
    publish his paper only at the Usenix symposium.
    The paper, titled, "Reading Between the Lines: Lessons from the SDMI
    Challenge," makes public several inherent security flaws in a
    technology developed to prevent unauthorized copying of digital music
    files. Felten and others conducted the research last September while
    taking part in a security contest sponsored by a consortium of
    recording companies known as the Secure Digital Music Initiative
    Despite what Felten and others called "a partial victory" for science
    and the First Amendment rights of legitimate researchers, the overly
    broad nature of the 1998 Digital Millennium Copyright Act (DMCA)
    threatens to stifle future IT research, according to legal experts.
    "The DMCA set up a system where, essentially, the government
    outsourced censorship of science," said Cindy Cohn, the EFF's legal
    director. The EFF is representing Felten, as well as Dmitry Sklyarov,
    a Russian programmer arrested on July 16 in Las Vegas for allegedly
    developing a software program that unlocks the encryption used to
    protect the copyrights of electronic-book publishers.
    Other scholars "have been chilled" by what happened to Felten, and
    foreign cryptographers are afraid to travel to the U.S., said Cohn.
    A Matter of Scope
    Enacted in 1998, the DMCA broadly outlines restrictions on the
    distribution or sale of any product, service or technology that
    circumvents access protections to copyrighted material. Although the
    law provides exemptions for law enforcement officials as well as
    encryption and security researchers, legal experts said it's unclear
    how far the law extends and whether corporate IT workers conducting
    integration work could be caught in its web.
    "There are questions about scope," said Peter Jaszi, a law professor
    at American University's Washington College of Law. A lot "depends on
    the actual consent" of the owner or copyright holder of the software,
    said Jaszi. In the case of encryption research, "a good-faith attempt"
    to gain such consent is necessary, he said.
    But not everyone agrees that the DMCA is a bad thing. Industry
    representatives, as well as authors and other content providers, have
    vehemently argued that the DMCA protects their right to earn a living
    by discouraging dishonest people from violating copyright protections.
    The DMCA is "a well-balanced piece of legislation that took into
    account every group's interests," said Keith Kupferschmid,
    intellectual property counsel for the Software & Information Industry
    Association in Washington.
    In the Sklyarov case, for example, the Russian programmer engaged in
    the trafficking of software that circumvented technological protection
    measures, Kupferschmid said. Sklyarov, an employee at Moscow-based
    ElcomSoft Co., allegedly tried to sell copies of the circumvention
    software at the Def Con conference in Las Vegas.
    Dan Langin, an attorney who specializes in computer security and
    represents companies such as Redwood City, Calif.-based Recourse
    Technologies Inc., said the fair-use clause of the DMCA excludes
    reverse-engineering for the purposes of doing integration work and
    legitimate research. In that respect, "IT workers have pretty solid
    ground to stand on," he said. Nonetheless, Langin added that a written
    agreement with software companies for access to code beyond the normal
    application programming interface is a critical protection.
    For Felten and other researchers, however, the uncertainty of how far
    the law extends is cause enough to stifle legitimate research that can
    have positive effects beyond computer security.
    "The DMCA seems to cast a very wide net and will catch a lot of things
    besides computer security," said Felten. For example, the
    echo-detection methods used by Felten's research team to break the
    security of music CDs is a breakthrough technology that can be used by
    seismologists, he said.
    "People don't know what they can say and what they can write," said
    Felten. "The scientific community can't operate that way."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 04:09:02 PDT