FC: DMCA restricts police forensics tools, cryptanalysis research?

From: Declan McCullagh (declanat_private)
Date: Sat Aug 25 2001 - 15:41:56 PDT

  • Next message: Declan McCullagh: "FC: Microsoft allies reply to dead-people-writing-letters story"

    The below message is from today's RISKS Digest 
    (http://www.csl.sri.com/users/risko/risksinfo.html).
    
    The DMCA (sec. 1201) says in part "no person shall manufacture, import, 
    offer to the public, provide, or otherwise traffic" in anything that "is 
    primarily designed or produced for the purpose of circumventing a 
    technological measure that effectively controls access to a work protected 
    under this title." Anyone care to speculate about whether that applies to 
    Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)
    
    While the DMCA may well be an awful law, one thing I've never understood is 
    why many folks seem to think it bans publishing your research into security 
    flaws and so on. The RIAA/SDMI threats against Ed Felten & co were 
    spurious. There are two prongs to the DMCA: Don't bypass copy protection 
    schemes, and don't sell stuff that automates that process. Nowhere does the 
    law say "don't tell others what you learned." Even if circumventing (for 
    profit) is a felony, telling people how they could theoretically break the 
    law is generally legal, right? 
    (http://www.loompanics.com/Articles/HitManLawsuit.htm)
    
    -Declan
    
    **********
    
    Date: Fri, 17 Aug 2001 15:47:51 -0700 (PDT)
    From: Fred Cohen <fcat_private>
    Subject: Re: Avoiding prosecution of the DMCA (Ferguson, RISKS-21.60)
    
    The DMCA has also had effects on my forensic analysis products.  Because the
    current copyright law makes anything that is put into tangible form
    copyright unless made otherwise by the author (or by law), things like
    criminal records are copyright.
    
    This means that if the criminal tries to protect their material - for
    example by hiding it using steganography, encrypting it, or by putting
    it on a computer with a password to prevent unauthorized access - then
    that work is protected by the DMCA (after all, the password on Windows
    systems is effective protection unless you try to circumvent it).
    
    Because the primary purpose of most of my forensic analysis tools is to
    reveal things that are protected from revelation, and because the DMCA
    makes it illegal to distribute such a device, I have been forced (based
    on the recent arrests and other threats against authors of such things)
    to withdraw my forensic products from the market.
    
    I should note that companies like Access Data who sell products that are
    explicitly designed for undoing encryption, etc.  are almost certainly in
    violation of the DMCA.  While the FBI might not arrest them now because they
    sell to the FBI (and other in law enforcement - as did I), this does not
    mean that the FBI cannot arrest them at any time and charge them with a
    felony.  Indeed, sale to law enforcement is not legal, even though law
    enforcement can, on its own, build and use such tools.
    
    The effects on research and education are even more interesting.  For
    example, I am having a discussion with my university now about canceling
    courses on forensics and cryptanalysis because in these courses we teach
    people how to get around protection of this sort and may provide the
    capabilities to do so in so teaching.  The DMCA has, I believe, made this
    illegal - and if you are teaching such a course next semester, you might
    think about the issues as well.  On the research side, I don't work on
    research I cannot publish, so I am canceling the aspects of my research
    that go into these areas.
    
    Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
    fcat_private		The University of New Haven.....http://www.unhca.com/
    http://all.net/		Sandia National Laboratories....tel:925-294-2087
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Aug 25 2001 - 16:01:27 PDT