FC: More on DMCA restricting forensics tools and crypto research

From: Declan McCullagh (declanat_private)
Date: Sun Aug 26 2001 - 08:21:46 PDT

  • Next message: Declan McCullagh: "FC: Prosecutors, judges keep Vanessa Leggett in jail for 37 days"

    There seem to be two important questions here:
    1. Do the DMCA's civil or criminal sections apply to developing and selling 
    police forensics tools to the general public? Does the law enforcement 
    exception in the DMCA stretch to make such behavior lawful -- if you sell 
    only to law enforcement?
    2. Do the DMCA's civil or criminal sections make publishing an academic 
    paper or news article about how-to-circumvent-copy-protection illegal? What 
    if source code is included?
    
    I think the answer to question #2 is easier: No, at least if source code is 
    not included, no matter what the RIAA/SDMI may say. Question #1 seems a bit 
    more tricky.
    
    Below are responses from:
    * Lee Hollaar, who was a fellow with the Senate Judiciary committee and 
    worked on the DMCA. Lee is a computer science prof at the University of 
    Utah and has been the chair of IEEE-USA's Intellectual Property committee.
    * Harvey Silverglate of Silverglate and Good in Boston, who successfully 
    defended the first criminal not-for-profit copyright infringement case
    * R. Polk Wagner at the University of Pennsylvania's law school
    * Peter Wayner, author of Disappearing Cryptography
    * Fred Cohen, whose article to RISKS started this thread
    * David Wagner in the computer science departent at the University of 
    California at Berkeley
    * and others
    
    Previous article:
    http://www.politechbot.com/p-02432.html
    
    DMCA article archive:
    http://www.politechbot.com/p-02432.html
    
    -Declan
    
    *********
    
    Date: Sat, 25 Aug 2001 17:40:09 -0600
    From: "Lee Hollaar" <hollaarat_private>
    To: declanat_private
    Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
       research?
    In-Reply-To: <5.0.2.1.0.20010825181724.02134940at_private>
    
    At 04:41 PM 8/25/2001, you wrote:
    >Because the primary purpose of most of my forensic analysis tools is to
    >reveal things that are protected from revelation, and because the DMCA
    >makes it illegal to distribute such a device, I have been forced (based
    >on the recent arrests and other threats against authors of such things)
    >to withdraw my forensic products from the market.
    >
    >I should note that companies like Access Data who sell products that are
    >explicitly designed for undoing encryption, etc.  are almost certainly in
    >violation of the DMCA.  While the FBI might not arrest them now because they
    >sell to the FBI (and other in law enforcement - as did I), this does not
    >mean that the FBI cannot arrest them at any time and charge them with a
    >felony.  Indeed, sale to law enforcement is not legal, even though law
    >enforcement can, on its own, build and use such tools.
    
    Take a look at 17 USC 1201(e) --
         Law Enforcement, Intelligence, and Other Government Activities.-
         This section [the anticircumvention provision, section 1201] does not
         prohibit any lawfully authorized investigative, protective, information
         security, or intelligence activity of an officer, agent, or employee of
         the United States, a State, or a political subdivision of a State, or a
         person acting pursuant to a contract with the United States, a State,
         or a political subdivision of a State. For purposes of this subsection,
         the term "information security" means activities carried out in order
         to identify and address the vulnerabilities of a government computer,
         computer system, or computer network.
    
    Of course, selling something to law enforcement would be "acting pursuant
    to a contract" for that sale.
    
    *********
    
    From: "Harvey Silverglate" <hasat_private>
    To: <declanat_private>
    Subject: RE: DMCA restricts police forensics tools, cryptanalysis research?
    Date: Sun, 26 Aug 2001 00:59:56 -0400
    
    Declan
             I think you're right, but this law is a little tricky, and there's an
    atmosphere afoot that is not healthy for free speech or publicizing one's
    research. On the other hand, if there's going to be a test case of DMCA, one
    hopes that the fact setting will be conducive to a conclusion that the
    defendant was indeed discussing his research, rather than using the First
    Amendment as a cover for cracking. The ACLU has always been good, for
    example, at picking test cases where the facts made it more likely that we'd
    make good law.
                                                                                                             Harvey
    
    *********
    
    Date: Sun, 26 Aug 2001 00:02:04 -0400
    Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
             research?
    From: "R. Polk Wagner" <polkat_private>
    To: <declanat_private>
    
    On 8/25/01 6:41 PM, "Declan McCullagh" <declanat_private> wrote:
    
     > The below message is from today's RISKS Digest
     > (http://www.csl.sri.com/users/risko/risksinfo.html).
     >
     > The DMCA (sec. 1201) says in part "no person shall manufacture, import,
     > offer to the public, provide, or otherwise traffic" in anything that "is
     > primarily designed or produced for the purpose of circumventing a
     > technological measure that effectively controls access to a work protected
     > under this title." Anyone care to speculate about whether that applies to
     > Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)
     >
    
    The DMCA has a specific exception for encryption research activities, 17 USC
    1201(g), as well as law enforcement activities, 17 USC 1021(e).  As far as I
    know, the true scope of those exceptions haven't yet been tested.
    
     > While the DMCA may well be an awful law, one thing I've never understood is
     > why many folks seem to think it bans publishing your research into security
     > flaws and so on. The RIAA/SDMI threats against Ed Felten & co were
     > spurious. There are two prongs to the DMCA: Don't bypass copy protection
     > schemes, and don't sell stuff that automates that process. Nowhere does the
     > law say "don't tell others what you learned." Even if circumventing (for
     > profit) is a felony, telling people how they could theoretically break the
     > law is generally legal, right?
     > (http://www.loompanics.com/Articles/HitManLawsuit.htm)
     >
    
    (1) Telling others in some detail might be within the meaning of "provide"
    in these circumstances.
    
    (2) One could also make the claim that one commits contributory infringement
    by telling someone else how to circumvent.
    
    I think both of these arguments are really weak, but at least some folks on
    both sides of the debate seem to buy them.  I suppose there will be some
    fear until a court officially shoots the theories down.
    
    -- 
    =====================================
    R. Polk Wagner
    University of Pennsylvania Law School
    3400 Chestnut Street
    Philadelphia, Pennsylvania  19104
    http://www.law.upenn.edu/polk/
    =====================================
    
    *********
    
    Date: Sat, 25 Aug 2001 19:23:16 -0400
    To: declanat_private
    From: Peter Wayner <pcw2at_private>
    Subject: Re: FC: DMCA restricts police forensics tools,
      cryptanalysis research?
    
    >While the DMCA may well be an awful law, one thing I've never understood 
    >is why many folks seem to think it bans publishing your research into 
    >security flaws and so on. The RIAA/SDMI threats against Ed Felten & co 
    >were spurious. There are two prongs to the DMCA: Don't bypass copy 
    >protection schemes, and don't sell stuff that automates that process. 
    >Nowhere does the law say "don't tell others what you learned." Even if 
    >circumventing (for profit) is a felony, telling people how they could 
    >theoretically break the law is generally legal, right? 
    >(http://www.loompanics.com/Articles/HitManLawsuit.htm)
    
    I believe that it becomes a bit more of a problem when you actually 
    circulate source code. Yes, this is human readable and definitely a means 
    of expressing your opinion to a larger group. But it's also a mechanism 
    that will turn into software after being passed through a compiler. So is 
    it software or speech?
    
    -Peter
    
    *********
    
    Subject: Re: DMCA restricts police forensics tools, cryptanalysis research?
    To: declanat_private (Declan McCullagh)
    Date: Sat, 25 Aug 2001 16:12:15 -0700 (PDT)
    Cc: politechat_private
    In-Reply-To: <5.0.2.1.0.20010825181724.02134940at_private> from "Declan 
    McCullagh" at Aug 25, 2001 06:41:56 PM
    From: Fred Cohen <fcat_private>
    
    Per the message sent by Declan McCullagh:
    
     > The below message is from today's RISKS Digest
     > (http://www.csl.sri.com/users/risko/risksinfo.html).
    
     > The DMCA (sec. 1201) says in part "no person shall manufacture, import,
     > offer to the public, provide, or otherwise traffic" in anything that "is
     > primarily designed or produced for the purpose of circumventing a
     > technological measure that effectively controls access to a work protected
     > under this title." Anyone care to speculate about whether that applies to
     > Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)
    
    I believe it is quite clear that a product such as mine that is intended
    to bypass effective controls over access to copyrighted works (which is
    anything put into tangible form unless specifically not copyrighted) violates
    this law.
    
     > While the DMCA may well be an awful law, one thing I've never understood is
     > why many folks seem to think it bans publishing your research into security
     > flaws and so on.
    
    It does not prohibit research, only manufacture, import, offer to the
    public, provide, or otherwise traffic ...  the obvious problem being
    that research without publication is not useful if we are to make
    scientific progress.
    
     > The RIAA/SDMI threats against Ed Felten & co were spurious.
    
    They were not.  They had a chilling effect on him and on the rest of us
    doing research into such things.  Could they have been enforced? We may
    never know.  They are being used rather brutally against a Russian
    gentleman - one of the motivating factors in my decision for certain.
    
     > There are two prongs to the DMCA: Don't bypass copy protection
     > schemes, and don't sell stuff that automates that process. Nowhere does the
     > law say "don't tell others what you learned."
    
    It says that trafficing in information that leads to defeating proteciton
    is covered.
    
     > Even if circumventing (for
     > profit) is a felony, telling people how they could theoretically break the
     > law is generally legal, right?
    
    Theory is one thing - practical information is another.  But I wouldn't
    be too sure, and I am not all that certain - hence I am taking the prudent
    route.
    
     > (http://www.loompanics.com/Articles/HitManLawsuit.htm)
    
     > -Declan
    
    FC
    --This communication is confidential to the parties it is intended to serve--
    Fred Cohen              Fred Cohen & Associates.........tel/fax:925-454-0171
    fcat_private              The University of New Haven.....http://www.unhca.com/
    http://all.net/         Sandia National Laboratories....tel:925-294-2087
    
    *********
    
    From: David Wagner <dawat_private>
    Subject: FC: DMCA restricts police forensics tools, cryptanalysis research?
    To: declanat_private
    Date: Sat, 25 Aug 2001 16:12:16 -0700 (PDT)
    
    In article <5.0.2.1.0.20010825181724.02134940at_private> you write:
     >While the DMCA may well be an awful law, one thing I've never understood is
     >why many folks seem to think it bans publishing your research into security
     >flaws and so on.
    
    Ahh, how I wish it were as clearcut as you suggest.
    
    It's the "or component thereof" language (see the statute)
    which I'm told could be interpreted to include a paper that
    describes the algorithm for breaking a system, for instance.
    I've gotten the sense that this is not the most likely outcome,
    but even if there is only a 10% chance that some judge will
    interpret the statute in this way, that's more than enough
    for significant amounts of research to be chilled.
    
    You could say that the fear is due to uncertainty about how
    the DMCA will be interpreted as much as anything else.  The
    problem is that noone can promise us "there's no risk that
    your paper could be construed as a violation of the DMCA",
    and as long as this persists, one can only expect that people
    will be cautious.
    
    -- David
    
    *********
    
    From: "Charles L. Jackson" <chuckat_private>
    To: <declanat_private>
    Subject: RE: DMCA restricts police forensics tools, cryptanalysis research?
    Date: Sat, 25 Aug 2001 19:46:57 -0400
    In-Reply-To: <5.0.2.1.0.20010825181724.02134940at_private>
    
    Re:  Law enforcement.  The DCMA says:
    (e)LAW ENFORCEMENT,INTELLIGENCE,AND OTHER GOVERNMENT A CTIVITIES.-This
    section does not prohibit any lawfully authorized
    investigative,protective,information
    security,or intelligence activity of an officer,agent,or employee of the
    United States, a State,or a political subdivision of a State,or a person
    acting pursuant to a contract
    with the United States,a State,or a political subdivision of a State.For
    purposes of this subsection,the term "information security "means activities
    carried out in order to
    identify and address the vulnerabilities of a government computer,computer
    system, or computer network.
    
    
    Section (g)(2) of the DCMA describes "Permissible Acts of Encryption
    Research."  (That phrase seems to indicate that there are impremissible acts
    of encryption research).
    
    One of the factors determining whether research is permissible is where the
    research is published.  Specifically, the law states "In determining whether
    a person quali-
    fies for the exemption under paragraph (2),the factors to be considered
    shall include -
    (A)whether the information derived from the encryption research was
    disseminated,and if so,whether it was disseminated in a manner reasonably
    calculated to advance the state of knowledge or development of encryption
    technology,versus whether it was disseminated in a manner that facilitates
    infringement under this title"
    
    For a lighter discussion of this last point see
    http://www.zdnet.com/zdnn/stories/comment/0,5859,2807159,00.html
    
    Chuck Jackson
    
    *********
    
    From: "Timothy McGhee" <mcgheeat_private>
    To: <declanat_private>
    References: <5.0.2.1.0.20010825181724.02134940at_private>
    Subject: Re: DMCA restricts police forensics tools, cryptanalysis research?
    Date: Sat, 25 Aug 2001 20:07:27 -0400
    
     > While the DMCA may well be an awful law, one thing I've never understood
    is
     > why many folks seem to think it bans publishing your research into
    security
     > flaws
    
    Two reasons for you:
    
    Reason #1:  http://www.politechbot.com/p-02270.html
    
        This would be the second known prosecution under the criminal sections
        of the controversial Digital Millennium Copyright Act, (DMCA) which
        took effect last year and makes it a crime to "manufacture" products
        that circumvent copy protection safeguards.
    
    Doesn't "publishing your research" = "manufacturing" in the knowledge
    industry?  If not, what's the difference?  Maybe the target audience is
    different (academic vs. commercial), but the DMCA doesn't seem to care.
    
    
    Here's another example, and this doesn't even involve mass distribution
    (which might, perhaps, be implied when referring to "manufacturing"), but
    could be invoking the DMCA because of "trafficking."
    
    Reason #2:  http://www.politechbot.com/p-02412.html
    
        an Oklahoma man . accidentally discovered that his local
        newpaper's web server permitted anyone at all to edit its content
        using the Front Page client without authentication.  Like any good
        samaritan might, he alerted the newspaper's editor of the problem.
        Now, sixteen months later and under threat of prosecution, the U.S.
        Attorney's office is attempting to coerce him to accept a plea to
        a felony conviction and five years probation.
    
    Here a man wasn't even "publishing" the information or mass distributing it
    in any way; he was just giving it to the person who could solve the problem.
    Nonetheless, he has been absolutely drilled by the feds for doing what many
    of us would have done in the same situation--until now.
    
    
    Even if it's not the DMCA that the feds use, they're finding ways to treat
    publishing security flaw research as criminal activity.  The DMCA is the
    most prominently bad law when it comes to free speech and coding issues;
    perhaps it's simply being used as an umbrella scapegoat for all of the
    problems in the United States Code when it comes to the First Amendment as
    it relates to programming.
    
    
    These stories have made me hesitant to use a script that seems like it would
    be effective in dealing with the Code Red problem.  Let me explain.
    Collectively, Code Reds I and II have hit the server I administer over 1300
    times so far this month.  There's a perl script called Code Red Strikeback
    that would return a request to that server to shut it down.  (The script
    claims it only works on Code Red II infected machines.)  Basically, it would
    help slow Code Red down and encourage people to patch their servers.  It
    doesn't do anything malicious, but technically it does penetrate the system,
    and that would be illegal.
    
    According to the DMCA, I don't think it's legal to send you the script or
    use it, as either could be construed as trafficking in circumvention
    technology.  Is it even legal to say such a thing exists?
    
    The recent string of prosecutions hardly seems "spurious."  I'm guessing
    most of us don't think it should be illegal, but we'd also rather not risk
    the five years probation or ten years in prison.  From Bush all the way
    down, this government seems to considers hacking of any kind (including
    accidental) to be equal to terrorism.  (Just listen to the rhetoric when a
    DDOS attack hits the news.)  I can only guess at from where this comes.
    
    Perhaps, hacking could be used to orchestrate terrorist activities, or
    manipulate systems that could have terrorist effects.  But hacking itself is
    no more terroristic than simply building a bomb, and certainly not
    terroristic if you're just telling people how to do it.  (Aren't there
    bomb-making guides on the Internet?  Are those illegal?)  I don't know what
    the law says about using explosives on your farm if you want to take out a
    tree, but I don't think it's equal to terrorism.
    
    I'm not sure if saying Code Red Strikeback exists, is legal.  I'm fairly
    certain that no one is going to die or be injured because I said that, which
    means that should not be considered terrorism.  So, I'm willing to take my
    chances.  If even saying that is not legal, then it's time for
    politechnicals to become a lot more politically active.
    
    Tim
    
    *********
    
    Date: Sun, 26 Aug 2001 14:40:43 +0100
    From: David Cantrell <davidat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis research?
    In-Reply-To: <5.0.2.1.0.20010825181724.02134940at_private>; from
    
    On Sat, Aug 25, 2001 at 06:41:56PM -0400, Declan McCullagh wrote:
    
     > While the DMCA may well be an awful law, one thing I've never understood is
     > why many folks seem to think it bans publishing your research into security
     > flaws and so on.
    
    I haven't read the law, but consider that most people can't afford to
    defend themselves in court, and so the very threat of prosecution -
    regardless of what the law actually says - is enough to prevent publishing.
    
    -- 
    David Cantrell | davidat_private | http://www.cantrell.org.uk/david
    
        Educating this luser would be something to frustrate even the
        unflappable Yoda and make him jam a lightsaber up his arse
        while screaming "praise evil, the Dark Side is your friend!".
                                   -- Derek Balling, in the Monastery
    
    *********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 09:16:36 PDT