A cloud of fear and uncertainty hung over the 10th annual Usenix Security Symposium in Washington D.C. last week, as IT researchers wondered nervously whether they would be hauled off to jail by the FBI for revealing security flaws in an anti-piracy technology backed by the music industry.
That didn’t happen, but new charges of government censorship are being levied by critics of a 1998 law designed to protect copyrighted digital material, such as software, from unauthorized access and copying. If the law isn’t changed, legitimate scientists and corporate IT workers conducting research to improve computer and network security could be sent to jail, legal experts said.
The team of IT researchers, headed by Edward Felten, a professor at Princeton University, and flanked by lawyers from the San Francisco-based Electronic Frontier Foundation (EFF), originally planned to present the paper at a conference in April. But they backpedaled after the Recording Industry Association of America (RIAA) threatened to sue.
Felten took the RIAA to court in June, and the association eventually retracted its legal threats and gave Felten permission to present and publish his paper only at the Usenix symposium.
The paper, titled, “Reading Between the Lines: Lessons from the SDMI Challenge,” makes public several inherent security flaws in a technology developed to prevent unauthorized copying of digital music files. Felten and others conducted the research last September while taking part in a security contest sponsored by a consortium of recording companies known as the Secure Digital Music Initiative (SDMI).
Despite what Felten and others called “a partial victory” for science and the First Amendment rights of legitimate researchers, the overly broad nature of the 1998 Digital Millennium Copyright Act (DMCA) threatens to stifle future IT research, according to legal experts.
“The DMCA set up a system where, essentially, the government outsourced censorship of science,” said Cindy Cohn, the EFF’s legal director. The EFF is representing Felten, as well as Dmitry Sklyarov, a Russian programmer arrested on July 16 in Las Vegas for allegedly developing a software program that unlocks the encryption used to protect the copyrights of electronic-book publishers.
Other scholars “have been chilled” by what happened to Felten, and foreign cryptographers are afraid to travel to the U.S., said Cohn.
A Matter of Scope
Enacted in 1998, the DMCA broadly outlines restrictions on the distribution or sale of any product, service or technology that circumvents access protections to copyrighted material. Although the law provides exemptions for law enforcement officials as well as encryption and security researchers, legal experts said it’s unclear how far the law extends and whether corporate IT workers conducting integration work could be caught in its web.
“There are questions about scope,” said Peter Jaszi, a law professor at American University’s Washington College of Law. A lot “depends on the actual consent” of the owner or copyright holder of the software, said Jaszi. In the case of encryption research, “a good-faith attempt” to gain such consent is necessary, he said.
But not everyone agrees that the DMCA is a bad thing. Industry representatives, as well as authors and other content providers, have vehemently argued that the DMCA protects their right to earn a living by discouraging dishonest people from violating copyright protections.
The DMCA is “a well-balanced piece of legislation that took into account every group’s interests,” said Keith Kupferschmid, intellectual property counsel for the Software & Information Industry Association in Washington.
In the Sklyarov case, for example, the Russian programmer engaged in the trafficking of software that circumvented technological protection measures, Kupferschmid said. Sklyarov, an employee at Moscow-based ElcomSoft Co., allegedly tried to sell copies of the circumvention software at the Def Con conference in Las Vegas.
Dan Langin, an attorney who specializes in computer security and represents companies such as Redwood City, Calif.-based Recourse Technologies Inc., said the fair-use clause of the DMCA excludes reverse-engineering for the purposes of doing integration work and legitimate research. In that respect, “IT workers have pretty solid ground to stand on,” he said. Nonetheless, Langin added that a written agreement with software companies for access to code beyond the normal application programming interface is a critical protection.
For Felten and other researchers, however, the uncertainty of how far the law extends is cause enough to stifle legitimate research that can have positive effects beyond computer security.
“The DMCA seems to cast a very wide net and will catch a lot of things besides computer security,” said Felten. For example, the echo-detection methods used by Felten’s research team to break the security of music CDs is a breakthrough technology that can be used by seismologists, he said.
“People don’t know what they can say and what they can write,” said Felten. “The scientific community can’t operate that way.”