`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
My reading of these paragraphs is that basically, you don't start out by releasing a program that script kiddies can download and use to break stuff. You can present your paper at defcon, as long as there's not an executable. You can create an executable, with source code, package it up and send it to the copyright owner with a note that says "your protection is broken: here's the proof." You can shout at the top of your lungs that their crypto is broken, on all kinds of forums. You can engage in your right to fair use using your own executable, ie, taking a five-second clip and using it in an original work where it's seen in the background as your protagonists stroll by arguing about the new sushi restaurant. But what it looks like is, you cannot publish that executable, nor make it possible for anybody else to engage in their right to fair use. Something may appear in an anonymous channel, and if it's not traceable to you -- or downloadable from your website, etc -- then they may sue you for having done the research that made it possible, but they will lose. Of course, there is life outside the USA, and I'm sure some kid in Italy or Finland or Russia will cheerfully read your paper and implement the thing you describe and release it. But that kid better not visit the USA anytime real soon unless that kid publishes anonymously. I think a lot of the flaws with the DMCA could be fixed by allowing an exemption for a "notice period" -- one year after you notify them that their crypto is broken, they've had enough time to fix it -- and if they haven't fixed it, they deserve what they get. Bear