Re: Criminalizing crypto criticism
In message <20010727015656.A22910@cluebot.com>, Declan McCullagh writes:
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it. --Steve Bellovin, http://www.research.att.com/~smb
On Friday 27 July 2001 11:13, Steven M. Bellovin wrote:
In message <20010727015656.A22910@cluebot.com>, Declan McCullagh writes:
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it.
Even worse is if the "encryption" is in bad faith to begin with. (i.e. They know it is broken and/or worthless, but don't want the general public to find out.) Imagine some of the usual snake-oil cryto-schemes applied to copyrighted material. Then imagine that they use the same bunch of lawyers as the Scientologists. This could work out to be a great money-making scam! Invent a bogus copy protection scheme. Con a bunch of suckers to buy it for their products. Sue anyone who breaks it or tries to expose you as a fraud for damages. I mean if they can go after people for breaking things that use ROT-13 (eBooks) and 22 bit encryption (or whatever CSS actually uses), then you can go after just about anyone who threatens your business model. I guess we *do* have the best government money can buy. We just were not the ones writing the checks... --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
At 12:00 AM 07/31/2001 -0700, Alan wrote:
I guess we *do* have the best government money can buy. We just were not the ones writing the checks...
Naahhh... You ought to be able to buy a much better government than that. :-) That actually is part of the problem - governments writing laws about things they don't really understand. It's most obvious in high-tech areas, but even something as potentially simple as the tax code confuses them, because there are thousands of pages of special cases designed mostly independently to attempt to achieve various social goals or help various special interests, too many for anyone to keep track of when trying to band-aid the code to achieve the next social or political objective. And the special interests who are successful in getting them to do things generally aren't much more competent about it, and the unexpected consequences may or may not help them.
Alan wrote:
On Friday 27 July 2001 11:13, Steven M. Bellovin wrote:
In message <20010727015656.A22910@cluebot.com>, Declan McCullagh writes:
One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below.
It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it.
Even worse is if the "encryption" is in bad faith to begin with. (i.e. They know it is broken and/or worthless, but don't want the general public to find out.)
Imagine some of the usual snake-oil cryto-schemes applied to copyrighted material. Then imagine that they use the same bunch of lawyers as the Scientologists.
This could work out to be a great money-making scam! Invent a bogus copy protection scheme. Con a bunch of suckers to buy it for their products. Sue anyone who breaks it or tries to expose you as a fraud for damages.
I mean if they can go after people for breaking things that use ROT-13 (eBooks) and 22 bit encryption (or whatever CSS actually uses), then you can go after just about anyone who threatens your business model.
I guess we *do* have the best government money can buy. We just were not the ones writing the checks...
The fundamental problem is that crypto for rights protection doesn't work in general, and certainly can't work where the decryption technology has to be in the hands of the person you are trying to protect it from. Criticising the DMCA because it protects weak crypto seems to me to be the wrong angle - it doesn't matter whether the crypto is weak or strong, it can be broken. The important thing is that we should continue to be able to demonstrate that fact. Rights management can only be done by legal and social means, not technological ones. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
At 01:13 PM 7/27/2001, Steven M. Bellovin wrote:
It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it.
Hmmm. What would happen if every "legitimate" cryptography researcher routinely transmitted an announcement to every vendor of copy protection telling them that the researcher was going to be 'researching' the vendor's products? Research is such a wonderful term. I suppose I'm doing some sort of "cryptography research" just by looking at the bits that encode some sort of protected content. I must guiltily confess that I've been doing security long enough that I look with a skeptical eye at every "security implementation" I see, even if it's just a security camera or a string of barbed wire. There are probably enough "cryptography researchers" out there that even a large vendor won't feel tempted to harass them all proactively. Rick.
At 01:13 PM 7/27/2001, Steven M. Bellovin wrote:
It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it.
Hmmm. What would happen if every "legitimate" cryptography researcher routinely transmitted an announcement to every vendor of copy protection telling them that the researcher was going to be 'researching' the vendor's products? Research is such a wonderful term. I suppose I'm doing some sort of "cryptography research" just by looking at the bits that encode some sort of protected content. I must guiltily confess that I've been doing security long enough that I look with a skeptical eye at every "security implementation" I see, even if it's just a security camera or a string of barbed wire. There are probably enough "cryptography researchers" out there that even a large vendor won't feel tempted to harass them all proactively. Rick. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
On Tue, 31 Jul 2001, Rick Smith at Secure Computing wrote:
There are probably enough "cryptography researchers" out there that even a large vendor won't feel tempted to harass them all proactively.
All they have to do is make a messy example out of one or two. (It also helps if you can get a prosecutor that is working on a promotion to help out.) alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
I had suggested that a large number of crypto researchers take the proactive (or rather, prophylactic) step of informing *all* vendors of copy protection that the researchers are interested in studying the encryption used in their products. The notion of this would be that such an act by a large group would reduce the risk of retribution against individuals who participated. At 05:43 PM 7/31/2001, Alan Olsen wrote:
All they have to do is make a messy example out of one or two. (It also helps if you can get a prosecutor that is working on a promotion to help out.)
I Am Not A Lawyer, so someone more knowledgeable may correct me if I'm wrong, but... There's nothing here for a prosecutor to do. There's nothing illegal about a bona fide crypto researcher informing a vendor of an intent to study their product, which is offered to sale to the public. In fact, the researcher is complying with the legal requirements. I don't see any way the vendor could file an injunction or take other legal action simply because someone (especially one of a large number of people) announced an intent to study their product, again, as a bona fide crypto researcher, as stated in the law. Rick.
On Wed, 1 Aug 2001, Rick Smith at Secure Computing wrote:
I had suggested that a large number of crypto researchers take the proactive (or rather, prophylactic) step of informing *all* vendors of copy protection that the researchers are interested in studying the encryption used in their products. The notion of this would be that such an act by a large group would reduce the risk of retribution against individuals who participated.
Trying to get a large group of any profession to do one thing is next to impossible. I can see what this is going to do to third party due dilligance. Say you have a company that wants to use product X. But the lawyers set in and say "prove it is reasonably secure" as a CYA measure. There are many cases where you do not want to give the company advanced warning that you are doing this, otherwise they may try and skew the results. (Making "special" versions that don't work the same as the normal one. Taking out especially dangerous features.) BTW, this is *not* a hypothetical example. I worked on a project under contract to break a security method used by an e-commerce system. When the company found out what we discovered, they were very pissed off. If we had not had one of the bigger computer companies backing us up on the project, they would have probably sent lawyers after us. (At some point, the information will get out. The details of snake-oilness are pretty funny, in a sad sick way.) The security industry is going to be seriously burned by this. If I were to get a group of people together, it would be the security profesionals. I would have them boycott the US Govenment and any of the supporters of the DMCA. Just refuse to do work for them and explain why. (Something like "If I do my job, you might decide to put me in jail on a whim".)
At 05:43 PM 7/31/2001, Alan Olsen wrote:
All they have to do is make a messy example out of one or two. (It also helps if you can get a prosecutor that is working on a promotion to help out.)
I Am Not A Lawyer, so someone more knowledgeable may correct me if I'm wrong, but...
There's nothing here for a prosecutor to do. There's nothing illegal about a bona fide crypto researcher informing a vendor of an intent to study their product, which is offered to sale to the public. In fact, the researcher is complying with the legal requirements.
I don't see any way the vendor could file an injunction or take other legal action simply because someone (especially one of a large number of people) announced an intent to study their product, again, as a bona fide crypto researcher, as stated in the law.
Rick.
alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply Alan Olsen | to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman
participants (6)
-
Alan -
Alan Olsen
-
Ben Laurie -
Bill Stewart -
Rick Smith at Secure Computing -
Steven M. Bellovin