It isn’t often that Canadian IT security researchers worry about copyright legislation.
But proposed amendments to Canada’s Copyright Act have many of them in a tizzy. Libel chill is about steering your words away from an area you and everyone else knows is free and fair, but the danger of somebody suing you makes you stay away from it.David Fewer>Text
If they pass, the amendments would make it illegal for anyone to circumvent technology protection measures (TPMs) copyright holders use to regulate access and use of copyrighted materials. TPMs include digital watermarks or content scrambling systems on DVDs to control the kinds of devices and systems that can access DVD content.
The proposed amendments, the researchers say, could stifle security research by creating the equivalent of a ‘libel chill’ among those examining protection technologies. It could have other unfortunate consequences, they add.
The researchers called on Industry Minister David Emerson and Canadian Heritage Minister Liza Frulla and expressed their misgivings.
Their objections are graphically summed up by Bob Young, the Canadian co-founder of and director of Red Hat Inc. “Legal protection against TPMs,” Young says, “is the equivalent of making screw-drivers illegal because they can be used to break and enter.”
What worries Young most are anti-circumvention measures in the amendments. If the amendments are passed they could criminalize researchers who create the tools needed to test how TPMs might be circumvented, he said, adding that such tools are a legitimate part of security research.
Good legislation, argues Young, who is also founder and CEO of Raleigh, NC-based Lulu Enterprises Inc., “targets the illegal act and not the legal tools the crook might use.”
Young likens the anti-circumvention provisions in the amendments to someone telling a researcher in padlocks that he or she cannot create a tool to see how secure a padlock is in reality. “These anti-circumvention parts say that if you try to understand those padlocks, you can get thrown into jail for it.”
What Young and others want is that any proposed amendments to the Copyright Act have explicit provisions to protect security researchers and their work so legitimate security research does not become inadvertently criminalized.
His concern – shared by legal experts and many in Canada’s technology industry – is the amendments will make criminals out of researchers who study security solutions and often need to create tools to circumvent TPMs to test their effectiveness.
The possibility of such research falling foul of the law, they say, could create the equivalent of a digital ‘libel chill’ amongst security researchers.
“Libel chill is about steering your words away from an area you and everyone else knows is free and fair, but the danger of somebody suing you makes you stay away from it,” said David Fewer, legal counsel for the Canadian Internet Policy and Public Interest Clinic with the Faculty of Law at the University of Ottawa. “If you are a security researcher and want to look at an area that may potentially implicate TPM protection, what rational person would not steer clear of doing research there?”
Fewer’s fear is not unfounded.
In April 2001, researchers led by Princeton professor Ed Felten announced that the Digital Rights Management (DRM) system, developed by the Secure Digital Media Initiative to protect recorded music, could be circumvented.
Felten and his team were about to present a paper on their findings describing how the DRM could be overcome when the Recording Industry Artists of America (RIAA) threatened a lawsuit under the Digital Millennium Copyright Act to prevent the paper and research from becoming public.
That, said Brian O’Higgins, chief technology officer for the Ottawa-based Third Bridge Inc., is a good example of how legislation, supposedly meant to protect copyright, in fact hinders research into technologies that better secure access to copyrighted material.
“The trouble is security researchers inadvertently get caught by this,” O’Higgins added. “[Security is] about looking at current systems, finding weaknesses, and coming up with solutions.”
The fear is that if such provisions are not in place, security research looking at copy protection, encryption, and other right management solutions will be hampered or move out of Canada.