Re: Criminalizing crypto criticism
Arnold Reinhold writes:
If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results.
Not true. Look closely at http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: (note that the final colon is part of the URL). 1201(a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title. This is the basic provision which outlaws circumvention. 1201(g)(2): PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- [Various provisions, including making a good faith effort to get permission] And this is the provision which allows encryption research even when that involves circumvention. Neither of these addresses publication. This is possibly covered in the following: 1201(a)(2): No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that-- (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title. It is not at all clear that publishing a research result relating to a cryptographic problem in a copyright protecting technology would fall into any of these categories. First, such a publication is clearly not a "product, service, device, component, or part thereof". Conceivably it could be a "technology" although most cryptographic papers are a long way from an actual technology. Second, the primary purpose of such a publication is not to enable circumvention, but to advance the state of the art in science. Hence it is not covered by provision (a)(2)(A), and not by (B) or (C) either. Nevertheless if publication were to be interpreted as being covered by this provision, there is a further exception in 1201(g): 1201(g)(4): USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- (A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and (B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2). Again, this appears to be interpreted in the context of (A)(2) forbidding the actual construction of devices which are are developed, employed, and distributed. Even if we interpret (A)(2) to include cryptographic publications, however, the provision still applies. Note in particular the language in (B) which allows another person to verify the act of good faith encryption research. This is one of the main purposes of publication, to allow verification of the results by others. Hence publications which show cryptographic holes in deployed encryption systems are exempt. This provision also allows the distribution of circumvention software for legitimate research purposes. Note too the additional provision: 1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products. Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA. Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition. Consider two recent cases. Dmitry Sklyarov of Russia has been arrested for violating the DMCA. Many DMCA opponents initially claimed that he had been arrested for discussing problems in Adobe's ebook software. This claim was false and has been largely abandoned now, but it has served its pupose of giving the impression that DMCA will criminalize publication. Princeton Professor Edward Felten and his research team were prevented from presenting their results regarding flaws in SDMI at the Information Hiding Workshop, based on a letter from the Recording Industry Association of America which claimed that such publication would violate the DMCA. In this case, the RIAA was mistaken about the application of the DMCA, as the above analysis makes clear. In fact the RIAA takes that same position now, as seen in http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html. The decision to pull out of the conference was made jointly by Felten, his team, and conference organizers. If they made the decision based on fears of the DMCA, their decision was mistaken. Again, anti-DMCA forces have used this case as an example of how the DMCA supposedly prevents free speech. In fact it is more an example of how the misinformation spread by DMCA opponents is preventing free speech. Had the true facts about the DMCA been widely known and disseminated, Felten et al would have presented their paper and the RIAA's letter would have been seen at the empty threat it was. (Yes, lawyers issue letters with empty threats and bluffs all the time. It's called the real world, folks.) There are many problems with the DMCA, but opponents will serve their cause best by being honest and straightforward about what the measure does and does not do. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
This is a reasonable post, based on my quick read of it. The DMCA may be bad, but there are far worse things that Congress could do. I may write a more detailed analysis tomorrow. -Declan On Sat, Jul 28, 2001 at 02:00:02AM -0000, lcs Mixmaster Remailer wrote:
Arnold Reinhold writes:
If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results.
Not true. Look closely at http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: (note that the final colon is part of the URL).
1201(a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title.
This is the basic provision which outlaws circumvention.
1201(g)(2): PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- [Various provisions, including making a good faith effort to get permission]
And this is the provision which allows encryption research even when that involves circumvention.
Neither of these addresses publication. This is possibly covered in the following:
1201(a)(2): No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that-- (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
It is not at all clear that publishing a research result relating to a cryptographic problem in a copyright protecting technology would fall into any of these categories. First, such a publication is clearly not a "product, service, device, component, or part thereof". Conceivably it could be a "technology" although most cryptographic papers are a long way from an actual technology.
Second, the primary purpose of such a publication is not to enable circumvention, but to advance the state of the art in science. Hence it is not covered by provision (a)(2)(A), and not by (B) or (C) either.
Nevertheless if publication were to be interpreted as being covered by this provision, there is a further exception in 1201(g):
1201(g)(4): USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--
(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and
(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
Again, this appears to be interpreted in the context of (A)(2) forbidding the actual construction of devices which are are developed, employed, and distributed. Even if we interpret (A)(2) to include cryptographic publications, however, the provision still applies. Note in particular the language in (B) which allows another person to verify the act of good faith encryption research. This is one of the main purposes of publication, to allow verification of the results by others.
Hence publications which show cryptographic holes in deployed encryption systems are exempt. This provision also allows the distribution of circumvention software for legitimate research purposes.
Note too the additional provision:
1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products.
Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA.
Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition. Consider two recent cases.
Dmitry Sklyarov of Russia has been arrested for violating the DMCA. Many DMCA opponents initially claimed that he had been arrested for discussing problems in Adobe's ebook software. This claim was false and has been largely abandoned now, but it has served its pupose of giving the impression that DMCA will criminalize publication.
Princeton Professor Edward Felten and his research team were prevented from presenting their results regarding flaws in SDMI at the Information Hiding Workshop, based on a letter from the Recording Industry Association of America which claimed that such publication would violate the DMCA.
In this case, the RIAA was mistaken about the application of the DMCA, as the above analysis makes clear. In fact the RIAA takes that same position now, as seen in http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html. The decision to pull out of the conference was made jointly by Felten, his team, and conference organizers. If they made the decision based on fears of the DMCA, their decision was mistaken.
Again, anti-DMCA forces have used this case as an example of how the DMCA supposedly prevents free speech. In fact it is more an example of how the misinformation spread by DMCA opponents is preventing free speech. Had the true facts about the DMCA been widely known and disseminated, Felten et al would have presented their paper and the RIAA's letter would have been seen at the empty threat it was. (Yes, lawyers issue letters with empty threats and bluffs all the time. It's called the real world, folks.)
There are many problems with the DMCA, but opponents will serve their cause best by being honest and straightforward about what the measure does and does not do.
Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition.
The anonymous poster's legal analysis was not particularly novel. It states that the "exemptions" in the DMCA actually cover the things that they were supposedly intended to cover. That would be a refreshing change if it were true, but the law is full of weasel words and exemptions to the exemptions. Only accredited researchers, not cypherpunks, can do research, for example. And you're only exempt if you tell the company first, so they know to sue you before you do the research, rather than after the results are leaking out to the public. Neither my opinion nor the poster's opinion controls, though. What matters is what the judges will say, and how expensive it is to ordinary researchers to find out. In the 2600 case, what the judge said is that even if Jon Johansen might have been able to reverse- engineer DVD players under an exemption (an issue that he didn't decide), 2600 Magazine was unable, under the statute, to publish even *A LINK* to Jon's results. The judge swept aside all the clauses like:
1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products.
Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA.
The other side argued in the 2600 appeal that this was a standard "savings clause" inserted in the legislation and was not intended to mean anything. It goes like this: either the law is constitutional or it isn't. If it is constitutional, this clause is inoperative, since clearly those Constitutional rights weren't diminished. If the law violates the Constitution, then the Constitution, not the statute, controls what rights the public has; again this clause doesn't. The judge agreed with the government and Hollywood that it was clearly put in there to "buy off" some opponents of the DMCA and didn't have any legal effect. The only minor issue is that THOSE SUCKERS ACTUALLY BELIEVED IT, dropped their opposition, and let the DMCA become law. But that wasn't the judge's problem -- only the defendant's.
In fact the RIAA takes that same position now, as seen in http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html.
Because the Felten case so clearly shows what's wrong with the DMCA, RIAA is desparately trying to convince the court that it need not, indeed cannot, make any decision in the Felten case. Therefore SDMI/RIAA is lying to the public and the court by saying that it never, *ever*, intended to sue or threaten. It was merely informing people about their rights, you see. They have moved to dismiss the case on the grounds that "we agree with the other side's legal analysis, so there's no issue for a court to decide." They only agree long enough to get out of that courtroom, then they'll find some way to be disagreeable again. The judge will decide whether to believe them or not; the papers are still being filed about that.
Princeton Professor Edward Felten and his research team were prevented from presenting their results regarding flaws in SDMI at the Information Hiding Workshop, based on a letter from the Recording Industry Association of America which claimed that such publication would violate the DMCA. In this case, the RIAA was mistaken about the application of the DMCA, as the above analysis makes clear.
Their mistakenness didn't prevent the RIAA from sending legal threats to every author of the Felten paper, every member of the conference committee that had decided to publish it, AND ALL OF THEIR BOSSES (one of whom, a US Navy commander, shamefully abandoned the soldier-under- fire who was reporting to him). It didn't prevent Adobe from getting its competitor Elcomsoft kicked off of four different spineless ISPs, by sending lawyer letters alleging copyright infringement TO THE ISP, when there was no copyright infringement going on. Mistakes in analysis, reconsidered a week later by Adobe, didn't prevent a US Attorney's office from bringing charges against Dmitry. Attorney General Ashcroft just announced that they're setting up a dozen more similar computer-and-copyright-prosecution task forces around the country -- none of which will have any practical experience with the DMCA yet. Their mistakes are your problem, not their problem, until YOU sue THEM. Will everyone in the infrastructure on whom you depend be as strong as you are in protecting your rights? After you lose your job, your Internet access, and your freedom of motion, because your scientific work threatened some lawyer-infested company's business model, if you have lots of spare money or raise lots of money somehow, you can have your day in court, "as the above analysis makes clear". And then maybe your judge will agree with the 2600 judge, or maybe he'll agree with the anonymous poster. Maybe the anonymous poster IS Judge Kaplan and he's changed his mind. I'll see you in court. John PS: EFF won't be able to take every case that comes along. The community's donations to EFF have been gratifying, useful, indeed essential. But there is far more money going into rabid company lawyers than is going into EFF or anywhere else for DMCA legal defense. It's classic public choice economics -- the benefit of the DMCA is concentrated in big profits to small numbers of companies, while the harm of the DMCA is spread widely through society. The companies will spend a lot to get those profits, while relatively few people will want to spend much to defend against them. EFF will have to pick which cases to focus on: ones where we can set precedents and get good leverage that will ultimately help the most people. But some people -- I predict many people -- are going to twist in the wind or in prison for years, before the courts or Congress are pushed into fixing the havoc caused by rabid copyright maximalists. So what if it decimates our profession? We're a tiny minority of society, and we don't bribe any legislators. They'll only notice that we matter after we're gone, when their security infrastructures fall to bits. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
get good leverage that will ultimately help the most people. But some people -- I predict many people -- are going to twist in the wind or in prison for years, before the courts or Congress are pushed into fixing the havoc caused by rabid copyright maximalists. So what if it
It was never and never will be in the interest of the government and its concessionees to have crypto-educated general public (EU commission called for more crypto solely because they were pissed off that US agencies can snoop EU subjects better than EU agencies themselves - this is a temporary aberration). There is no money to "push courts or Congress". Unlike alcohol Prohibition bad crypto is much harder to explain - do not expect mass rallies. Those 80 in San Jose and maybe another hundred or two worldwide is the total number. If the logic of late sixties still holds, few hundred protesters is far below the Congress influence threshold.
decimates our profession? We're a tiny minority of society, and we don't bribe any legislators. They'll only notice that we matter after we're gone, when their security infrastructures fall to bits.
It seems to me that the thesis about the *value* of cypherpunks' enhancement of security by breaking weak solutions needs to be qualified. Those advances (so far) tend to help "general public" realise what the state of security is (GSM, 802.11, DeCSS, Deep Crack, eBook) and tend to hurt corporations and government. This charity service *costs* those two a lot - real money is lost because of it. Replacement of 56-bit DES costs tons of cash and fucks up echelonning. I wouldn't hold my breath for "courts or Congress" to appreciate it. This should stay a pure thought-crime and freedom of speech issue. Maybe we should engage in "Fahrenheit 451"-like solutions: memorizing banned code and saying it aloud. A simple program that adds redundancy to C so that spoken version can be correctly transliterated into the working code would do. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
participants (4)
-
Declan McCullagh -
John Gilmore -
lcs Mixmaster Remailer -
Morlock Elloi