[free-sklyarov] [Fwd: More on DMCA restricting forensics tools and crypto research]

Seth Johnson seth.johnson at RealMeasures.dyndns.org
Sun Aug 26 10:47:43 PDT 2001


(Forwarded from POLITECH list)

-------- Original Message --------
Date: Sun, 26 Aug 2001 11:21:46 -0400
From: Declan McCullagh <declan at well.com>

There seem to be two important questions here:
1. Do the DMCA's civil or criminal sections apply to developing and selling police forensics tools to the general public? Does the law enforcement exception in the DMCA stretch to make such behavior lawful -- if you sell only to law enforcement?
2. Do the DMCA's civil or criminal sections make publishing an academic paper or news article about how-to-circumvent-copy-protection illegal?  What if source code is included?

I think the answer to question #2 is easier: No, at least if source code
is not included, no matter what the RIAA/SDMI may say. Question #1 seems a
bit more tricky.

Below are responses from:
* Lee Hollaar, who was a fellow with the Senate Judiciary committee and 
worked on the DMCA. Lee is a computer science prof at the University of 
Utah and has been the chair of IEEE-USA's Intellectual Property
committee.
* Harvey Silverglate of Silverglate and Good in Boston, who successfully 
defended the first criminal not-for-profit copyright infringement case
* R. Polk Wagner at the University of Pennsylvania's law school
* Peter Wayner, author of Disappearing Cryptography
* Fred Cohen, whose article to RISKS started this thread
* David Wagner in the computer science departent at the University of 
California at Berkeley
* and others

Previous article:
http://www.politechbot.com/p-02432.html

DMCA article archive:
http://www.politechbot.com/p-02432.html

-Declan

*********

Date: Sat, 25 Aug 2001 17:40:09 -0600
From: "Lee Hollaar" <hollaar at cs.utah.edu>
To: declan at well.com
Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
   research?
In-Reply-To: <5.0.2.1.0.20010825181724.02134940 at mail.well.com>

At 04:41 PM 8/25/2001, you wrote:
>Because the primary purpose of most of my forensic analysis tools is to
>reveal things that are protected from revelation, and because the DMCA
>makes it illegal to distribute such a device, I have been forced (based
>on the recent arrests and other threats against authors of such things)
>to withdraw my forensic products from the market.
>
>I should note that companies like Access Data who sell products that are
>explicitly designed for undoing encryption, etc.  are almost certainly in
>violation of the DMCA.  While the FBI might not arrest them now because they
>sell to the FBI (and other in law enforcement - as did I), this does not
>mean that the FBI cannot arrest them at any time and charge them with a
>felony.  Indeed, sale to law enforcement is not legal, even though law
>enforcement can, on its own, build and use such tools.

Take a look at 17 USC 1201(e) --
Law Enforcement, Intelligence, and Other Government Activities.- This section [the anticircumvention provision, section 1201] does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term "information security" means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.

Of course, selling something to law enforcement would be "acting pursuant to a contract" for that sale. 

*********

From: "Harvey Silverglate" <has at world.std.com>
To: <declan at well.com>
Subject: RE: DMCA restricts police forensics tools, cryptanalysis
research?
Date: Sun, 26 Aug 2001 00:59:56 -0400

Declan

I think you're right, but this law is a little tricky, and there's an atmosphere afoot that is not healthy for free speech or publicizing one's research. On the other hand, if there's going to be a test case of DMCA, one hopes that the fact setting will be conducive to a conclusion that the defendant was indeed discussing his research, rather than using the First Amendment as a cover for cracking. The ACLU has always been good, for example, at picking test cases where the facts made it more likely that we'd make good law.                                                                                                         
Harvey

*********

Date: Sun, 26 Aug 2001 00:02:04 -0400
Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
         research?
From: "R. Polk Wagner" <polk at law.upenn.edu>
To: <declan at well.com>

On 8/25/01 6:41 PM, "Declan McCullagh" <declan at well.com> wrote:

 > The below message is from today's RISKS Digest
 > (http://www.csl.sri.com/users/risko/risksinfo.html).
 >
 > The DMCA (sec. 1201) says in part "no person shall manufacture,
import,
 > offer to the public, provide, or otherwise traffic" in anything that
"is
 > primarily designed or produced for the purpose of circumventing a
 > technological measure that effectively controls access to a work
protected
 > under this title." Anyone care to speculate about whether that
applies to
 > Fred's product?
(http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)
 >

The DMCA has a specific exception for encryption research activities, 17 USC 1201(g), as well as law enforcement activities, 17 USC 1021(e).  As far as I know, the true scope of those exceptions haven't yet been tested.

 > While the DMCA may well be an awful law, one thing I've never
understood is
 > why many folks seem to think it bans publishing your research into
security
 > flaws and so on. The RIAA/SDMI threats against Ed Felten & co were
 > spurious. There are two prongs to the DMCA: Don't bypass copy
protection
 > schemes, and don't sell stuff that automates that process. Nowhere
does the
 > law say "don't tell others what you learned." Even if circumventing
(for
 > profit) is a felony, telling people how they could theoretically
break the
 > law is generally legal, right?
 > (http://www.loompanics.com/Articles/HitManLawsuit.htm)
 >

(1) Telling others in some detail might be within the meaning of
"provide" in these circumstances.

(2) One could also make the claim that one commits contributory
infringement by telling someone else how to circumvent.

I think both of these arguments are really weak, but at least some folks on both sides of the debate seem to buy them.  I suppose there will be some fear until a court officially shoots the theories down.

-- 
=====================================
R. Polk Wagner
University of Pennsylvania Law School
3400 Chestnut Street
Philadelphia, Pennsylvania  19104
http://www.law.upenn.edu/polk/
=====================================

*********

Date: Sat, 25 Aug 2001 19:23:16 -0400
To: declan at well.com
From: Peter Wayner <pcw2 at flyzone.com>
Subject: Re: FC: DMCA restricts police forensics tools,
  cryptanalysis research?

>While the DMCA may well be an awful law, one thing I've never understood 
>is why many folks seem to think it bans publishing your research into 
>security flaws and so on. The RIAA/SDMI threats against Ed Felten & co 
>were spurious. There are two prongs to the DMCA: Don't bypass copy 
>protection schemes, and don't sell stuff that automates that process. 
>Nowhere does the law say "don't tell others what you learned." Even if 
>circumventing (for profit) is a felony, telling people how they could 
>theoretically break the law is generally legal, right? 
>(http://www.loompanics.com/Articles/HitManLawsuit.htm)

I believe that it becomes a bit more of a problem when you actually circulate source code. Yes, this is human readable and definitely a means of expressing your opinion to a larger group. But it's also a mechanism that will turn into software after being passed through a compiler. So is it software or speech?

-Peter

*********

Subject: Re: DMCA restricts police forensics tools, cryptanalysis
research?
To: declan at well.com (Declan McCullagh)
Date: Sat, 25 Aug 2001 16:12:15 -0700 (PDT)
Cc: politech at politechbot.com
In-Reply-To: <5.0.2.1.0.20010825181724.02134940 at mail.well.com> from
"Declan 
McCullagh" at Aug 25, 2001 06:41:56 PM
From: Fred Cohen <fc at all.net>

Per the message sent by Declan McCullagh:

 > The below message is from today's RISKS Digest
 > (http://www.csl.sri.com/users/risko/risksinfo.html).

 > The DMCA (sec. 1201) says in part "no person shall manufacture,
import,
 > offer to the public, provide, or otherwise traffic" in anything that
"is
 > primarily designed or produced for the purpose of circumventing a
 > technological measure that effectively controls access to a work
protected
 > under this title." Anyone care to speculate about whether that
applies to
 > Fred's product?
(http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)

I believe it is quite clear that a product such as mine that is intended
to bypass effective controls over access to copyrighted works (which is
anything put into tangible form unless specifically not copyrighted)
violates this law.

 > While the DMCA may well be an awful law, one thing I've never
understood is
 > why many folks seem to think it bans publishing your research into
security
 > flaws and so on.

It does not prohibit research, only manufacture, import, offer to the
public, provide, or otherwise traffic ...  the obvious problem being
that research without publication is not useful if we are to make
scientific progress.

 > The RIAA/SDMI threats against Ed Felten & co were spurious.

They were not.  They had a chilling effect on him and on the rest of us
doing research into such things.  Could they have been enforced? We may
never know.  They are being used rather brutally against a Russian
gentleman - one of the motivating factors in my decision for certain.

 > There are two prongs to the DMCA: Don't bypass copy protection
 > schemes, and don't sell stuff that automates that process. Nowhere
does the
 > law say "don't tell others what you learned."

It says that trafficing in information that leads to defeating proteciton is covered.

 > Even if circumventing (for
 > profit) is a felony, telling people how they could theoretically
break the
 > law is generally legal, right?

Theory is one thing - practical information is another.  But I wouldn't be too sure, and I am not all that certain - hence I am taking the prudent route.

 > (http://www.loompanics.com/Articles/HitManLawsuit.htm)

 > -Declan

FC
--This communication is confidential to the parties it is intended to
serve--
Fred Cohen              Fred Cohen &
Associates.........tel/fax:925-454-0171
fc at all.net              The University of New
Haven.....http://www.unhca.com/
http://all.net/         Sandia National Laboratories....tel:925-294-2087

*********

From: David Wagner <daw at cs.berkeley.edu>
Subject: FC: DMCA restricts police forensics tools, cryptanalysis research?
To: declan at well.com
Date: Sat, 25 Aug 2001 16:12:16 -0700 (PDT)

In article <5.0.2.1.0.20010825181724.02134940 at mail.well.com> you write:
 >While the DMCA may well be an awful law, one thing I've never
understood is
 >why many folks seem to think it bans publishing your research into
security
 >flaws and so on.

Ahh, how I wish it were as clearcut as you suggest.

It's the "or component thereof" language (see the statute)
which I'm told could be interpreted to include a paper that
describes the algorithm for breaking a system, for instance.
I've gotten the sense that this is not the most likely outcome,
but even if there is only a 10% chance that some judge will
interpret the statute in this way, that's more than enough
for significant amounts of research to be chilled.

You could say that the fear is due to uncertainty about how
the DMCA will be interpreted as much as anything else.  The
problem is that noone can promise us "there's no risk that
your paper could be construed as a violation of the DMCA",
and as long as this persists, one can only expect that people
will be cautious.

-- David

*********

From: "Charles L. Jackson" <chuck at jacksons.net>
To: <declan at well.com>
Subject: RE: DMCA restricts police forensics tools, cryptanalysis
research?
Date: Sat, 25 Aug 2001 19:46:57 -0400
In-Reply-To: <5.0.2.1.0.20010825181724.02134940 at mail.well.com>

Re:  Law enforcement.  The DCMA says:
(e)LAW ENFORCEMENT,INTELLIGENCE,AND OTHER GOVERNMENT A CTIVITIES.-This section does not prohibit any lawfully authorized investigative,protective,information security,or intelligence activity of an officer,agent,or employee of the United States, a State,or a political subdivision of a State,or a person acting pursuant to a contract with the United States,a State,or a political subdivision of a State.For purposes of this subsection,the term "information security "means activities carried out in order to identify and address the vulnerabilities of a government computer,computer system, or computer network.


Section (g)(2) of the DCMA describes "Permissible Acts of Encryption Research."  (That phrase seems to indicate that there are impremissible acts of encryption research).

One of the factors determining whether research is permissible is where the research is published.  Specifically, the law states "In determining whether a person qualifies for the exemption under paragraph (2),the factors to be considered shall include - (A)whether the information derived from the encryption research was disseminated,and if so,whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology,versus whether it was disseminated in a manner that facilitates infringement under this title"

For a lighter discussion of this last point see
http://www.zdnet.com/zdnn/stories/comment/0,5859,2807159,00.html

Chuck Jackson

*********

From: "Timothy McGhee" <mcghee at bigfoot.com>
To: <declan at well.com>
References: <5.0.2.1.0.20010825181724.02134940 at mail.well.com>
Subject: Re: DMCA restricts police forensics tools, cryptanalysis
research?
Date: Sat, 25 Aug 2001 20:07:27 -0400

 > While the DMCA may well be an awful law, one thing I've never
understood is
 > why many folks seem to think it bans publishing your research into
security
 > flaws

Two reasons for you:

Reason #1:  http://www.politechbot.com/p-02270.html

This would be the second known prosecution under the criminal sections of the controversial Digital Millennium Copyright Act, (DMCA) which took effect last year and makes it a crime to "manufacture" products that circumvent copy protection safeguards.

Doesn't "publishing your research" = "manufacturing" in the knowledge industry?  If not, what's the difference?  Maybe the target audience is different (academic vs. commercial), but the DMCA doesn't seem to care.


Here's another example, and this doesn't even involve mass distribution (which might, perhaps, be implied when referring to "manufacturing"), but could be invoking the DMCA because of "trafficking."

Reason #2:  http://www.politechbot.com/p-02412.html

an Oklahoma man . accidentally discovered that his local newpaper's web server permitted anyone at all to edit its content using the Front Page client without authentication.  Like any good samaritan might, he alerted the newspaper's editor of the problem. Now, sixteen months later and under threat of prosecution, the U.S. Attorney's office is attempting to coerce him to accept a plea to a felony conviction and five years probation.

Here a man wasn't even "publishing" the information or mass distributing it in any way; he was just giving it to the person who could solve the problem.  Nonetheless, he has been absolutely drilled by the feds for doing what many of us would have done in the same situation--until now.


Even if it's not the DMCA that the feds use, they're finding ways to treat publishing security flaw research as criminal activity.  The DMCA is the most prominently bad law when it comes to free speech and coding issues; perhaps it's simply being used as an umbrella scapegoat for all of the problems in the United States Code when it comes to the First Amendment as it relates to programming.


These stories have made me hesitant to use a script that seems like it would be effective in dealing with the Code Red problem.  Let me explain.  Collectively, Code Reds I and II have hit the server I administer over 1300 times so far this month.  There's a perl script called Code Red Strikeback that would return a request to that server to shut it down.  (The script claims it only works on Code Red II infected machines.)  Basically, it would help slow Code Red down and encourage people to patch their servers.  It doesn't do anything malicious, but technically it does penetrate the system, and that would be illegal.

According to the DMCA, I don't think it's legal to send you the script or use it, as either could be construed as trafficking in circumvention technology.  Is it even legal to say such a thing exists?

The recent string of prosecutions hardly seems "spurious."  I'm guessing most of us don't think it should be illegal, but we'd also rather not risk the five years probation or ten years in prison.  From Bush all the way down, this government seems to considers hacking of any kind (including accidental) to be equal to terrorism.  (Just listen to the rhetoric when a
DDOS attack hits the news.)  I can only guess at from where this comes.

Perhaps, hacking could be used to orchestrate terrorist activities, or manipulate systems that could have terrorist effects.  But hacking itself is no more terroristic than simply building a bomb, and certainly not terroristic if you're just telling people how to do it.  (Aren't there bomb-making guides on the Internet?  Are those illegal?)  I don't know what the law says about using explosives on your farm if you want to take out a tree, but I don't think it's equal to terrorism.

I'm not sure if saying Code Red Strikeback exists, is legal.  I'm fairly certain that no one is going to die or be injured because I said that, which means that should not be considered terrorism.  So, I'm willing to take my chances.  If even saying that is not legal, then it's time for politechnicals to become a lot more politically active.

Tim

*********

Date: Sun, 26 Aug 2001 14:40:43 +0100
From: David Cantrell <david at cantrell.org.uk>
To: Declan McCullagh <declan at well.com>
Subject: Re: FC: DMCA restricts police forensics tools, cryptanalysis
research?
In-Reply-To: <5.0.2.1.0.20010825181724.02134940 at mail.well.com>; from

On Sat, Aug 25, 2001 at 06:41:56PM -0400, Declan McCullagh wrote:

 > While the DMCA may well be an awful law, one thing I've never
understood is
 > why many folks seem to think it bans publishing your research into
security
 > flaws and so on.

I haven't read the law, but consider that most people can't afford to defend themselves in court, and so the very threat of prosecution - regardless of what the law actually says - is enough to prevent publishing.

-- 
David Cantrell | david at cantrell.org.uk
http://www.cantrell.org.uk/david

Educating this luser would be something to frustrate even the
unflappable Yoda and make him jam a lightsaber up his arse
hile screaming "praise evil, the Dark Side is your friend!".
-- Derek Balling, in the Monastery

*********

-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://frotz.zork.net/pipermail/free-sklyarov/attachments/20010826/265b4792/attachment.htm


More information about the Free-sklyarov mailing list