Re: Criminalizing crypto criticism
On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
With these great new laws, there is no longer any risk of being legally criticised for using even the most glaringly flawed cryptography -- just use it for Copy Protection, and TADA! Negative criticism magically disappears. Almost by definition.
Flaws can only be exposed by those who won't show their work, or from anonymous sources, who nobody will trust without confirmation [...] [...] We seem to be entering the twilight zone -- the end of an exciting, but brief era -- of public cryptography.
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions. One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below. -Declan PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh? http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: `(g) ENCRYPTION RESEARCH- `(1) DEFINITIONS- For purposes of this subsection-- `(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and `(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms. `(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- `(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; `(B) such act is necessary to conduct such encryption research; `(C) the person made a good faith effort to obtain authorization before the circumvention; and `(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; `(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and `(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided. `(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- `(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and `(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
At 01:56 AM 7/27/01 -0400, Declan McCullagh wrote:
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions.
I'm getting sick of calling *legal bypass* "circumvention" as if this were a dirty word. If I lose a key to my house it is not illegal to circumvent the lock. If I need to make a backup of licensed data its not illegal to bypass obstacles. "Circumvention", literally "to go around", is not illegal. Only unlicensed copying is. Period. Any prohibition on this is "overbroad" to the point of being dead at birth. (Not picking on Declan. Mostly venting.)
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research.
So who arbitrates who gets to be called a "researcher"?? "We are all special objects."
At 1:56 AM -0400 7/27/2001, Declan McCullagh wrote:
On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
With these great new laws, there is no longer any risk of being legally criticised for using even the most glaringly flawed cryptography -- just use it for Copy Protection, and TADA! Negative criticism magically disappears. Almost by definition.
Flaws can only be exposed by those who won't show their work, or from anonymous sources, who nobody will trust without confirmation [...] [...] We seem to be entering the twilight zone -- the end of an exciting, but brief era -- of public cryptography.
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions.
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results. Even the recent Shamir, et. al. paper on RC4 and WEP could arguably violate DMCA. WEP could be considered a TPM since it protects copyrighted works (e.g. e-mail). More importantly RC4 could be used in some other copy protection system that we don't know about -- it's use might even be a trade secret. There is simply no way to guarantee that a given cryptoanalytic result doesn't compromise some TPM. Even software that breaks Ceaser ciphers could be actionable. DCMA is *that* bad. Arnold Reinhold
-Declan
PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov
PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh?
http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:
`(g) ENCRYPTION RESEARCH-
`(1) DEFINITIONS- For purposes of this subsection--
`(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and
`(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms.
`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--
`(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;
`(B) such act is necessary to conduct such encryption research;
`(C) the person made a good faith effort to obtain authorization before the circumvention; and
`(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
`(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
`(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and
`(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.
`(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--
`(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and
`(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
On Fri, Jul 27, 2001 at 06:36:53PM -0400, Arnold G. Reinhold wrote: [..]
If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results.
Even the recent Shamir, et. al. paper on RC4 and WEP could arguably violate DMCA. WEP could be considered a TPM since it protects copyrighted works (e.g. e-mail). More importantly RC4 could be used in some other copy protection system that we don't know about
Like an Adobe product- PDF uses RC4 for it's "password protection". Eric
... not especially crypto related, but ... There is a serious problem with a law that broadly encroaches on freedom of speech, patched-up with vague and complex exceptions that only a lawyer can decipher. Worse still, interpretation here seems to require as-yet-undetermined case law. A patchwork of exceptions, tailored to satisfy special interest groups, is a very sloppy and incomplete way to deal with a fundamental problem. I suppose my years of exposure to bad software have sensitized me to bad law, so sorry for the rant. -- David At 06:36 PM 7/27/01 -0400, Arnold G. Reinhold wrote:
At 1:56 AM -0400 7/27/2001, Declan McCullagh wrote:
On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
[...] We seem to be entering the twilight zone -- the end of an exciting, but brief era -- of public cryptography.
The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions.
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results.
Even the recent Shamir, et. al. paper on RC4 and WEP could arguably violate DMCA. WEP could be considered a TPM since it protects copyrighted works (e.g. e-mail). More importantly RC4 could be used in some other copy protection system that we don't know about -- it's use might even be a trade secret. There is simply no way to guarantee that a given cryptoanalytic result doesn't compromise some TPM. Even software that breaks Ceaser ciphers could be actionable. DCMA is *that* bad.
Arnold Reinhold
-Declan
PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov
PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh?
http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:
`(g) ENCRYPTION RESEARCH-
`(1) DEFINITIONS- For purposes of this subsection--
`(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and
`(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms.
`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--
`(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;
`(B) such act is necessary to conduct such encryption research;
`(C) the person made a good faith effort to obtain authorization before the circumvention; and
`(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
`(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;
`(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and
`(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.
`(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--
`(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and
`(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).
participants (5)
-
Arnold G. Reinhold
-
David Honig
-
David Jablon
-
Declan McCullagh
-
Eric Murray