The below message is from today's RISKS Digest (http://www.csl.sri.com/users/risko/risksinfo.html). The DMCA (sec. 1201) says in part "no person shall manufacture, import, offer to the public, provide, or otherwise traffic" in anything that "is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title." Anyone care to speculate about whether that applies to Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:) While the DMCA may well be an awful law, one thing I've never understood is why many folks seem to think it bans publishing your research into security flaws and so on. The RIAA/SDMI threats against Ed Felten & co were spurious. There are two prongs to the DMCA: Don't bypass copy protection schemes, and don't sell stuff that automates that process. Nowhere does the law say "don't tell others what you learned." Even if circumventing (for profit) is a felony, telling people how they could theoretically break the law is generally legal, right? (http://www.loompanics.com/Articles/HitManLawsuit.htm) -Declan ********** Date: Fri, 17 Aug 2001 15:47:51 -0700 (PDT) From: Fred Cohen <fcat_private> Subject: Re: Avoiding prosecution of the DMCA (Ferguson, RISKS-21.60) The DMCA has also had effects on my forensic analysis products. Because the current copyright law makes anything that is put into tangible form copyright unless made otherwise by the author (or by law), things like criminal records are copyright. This means that if the criminal tries to protect their material - for example by hiding it using steganography, encrypting it, or by putting it on a computer with a password to prevent unauthorized access - then that work is protected by the DMCA (after all, the password on Windows systems is effective protection unless you try to circumvent it). Because the primary purpose of most of my forensic analysis tools is to reveal things that are protected from revelation, and because the DMCA makes it illegal to distribute such a device, I have been forced (based on the recent arrests and other threats against authors of such things) to withdraw my forensic products from the market. I should note that companies like Access Data who sell products that are explicitly designed for undoing encryption, etc. are almost certainly in violation of the DMCA. While the FBI might not arrest them now because they sell to the FBI (and other in law enforcement - as did I), this does not mean that the FBI cannot arrest them at any time and charge them with a felony. Indeed, sale to law enforcement is not legal, even though law enforcement can, on its own, build and use such tools. The effects on research and education are even more interesting. For example, I am having a discussion with my university now about canceling courses on forensics and cryptanalysis because in these courses we teach people how to get around protection of this sort and may provide the capabilities to do so in so teaching. The DMCA has, I believe, made this illegal - and if you are teaching such a course next semester, you might think about the issues as well. On the research side, I don't work on research I cannot publish, so I am canceling the aspects of my research that go into these areas. Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fcat_private The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Aug 25 2001 - 16:01:27 PDT