Criminalizing crypto criticism

David Jablon dpj at world.std.com
Fri Jul 27 16:11:10 PDT 2001


... not especially crypto related, but ...

There is a serious problem with a law that broadly encroaches on freedom of
speech, patched-up with vague and complex exceptions that only a lawyer can
decipher.  Worse still, interpretation here seems to require as-yet-undetermined
case law.

A patchwork of exceptions, tailored to satisfy special interest groups, is a
very sloppy and incomplete way to deal with a fundamental problem.

I suppose my years of exposure to bad software have sensitized me to bad law,
so sorry for the rant.

-- David

At 06:36 PM 7/27/01 -0400, Arnold G. Reinhold wrote:
>At 1:56 AM -0400 7/27/2001, Declan McCullagh wrote:
>>On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote:
>>>[...] We seem to be entering the twilight zone -- the end of an exciting,
>>>but brief era -- of public cryptography.
>>
>>The DMCA may be bad, but it's not *that* bad. It contains a broad
>>prohibition against circumvention ("No person shall circumvent a
>>technological measure that effectively controls access") and then has
>>a bunch of exceptions.
>>
>>One of those -- and you can thank groups like ACM for this, if my
>>legislative memory is correct -- explicitly permits encryption
>>research. You can argue fairly persuasively that it's not broad
>>enough, and certainly 2600 found in the DeCSS case that the judge
>>wasn't convinced by their arguments, but at least it's a shield of
>>sorts. See below.
>
>If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results.
>
>Even the recent Shamir, et. al. paper on RC4 and WEP could arguably violate DMCA. WEP could be considered a TPM since it protects copyrighted works (e.g. e-mail). More importantly RC4 could be used in some other copy protection system that we don't know about -- it's use might even be a trade secret.  There is simply no way to guarantee that a given cryptoanalytic result doesn't compromise some TPM. Even software that breaks Ceaser ciphers could be actionable. DCMA is *that* bad.
>
>Arnold Reinhold
>
>
>>
>>-Declan
>>
>>PS: Some background on Sklyarov case:
>>http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov
>>
>>PPS: Note you only get the exemption if you make "a good faith effort
>>to obtain authorization before the circumvention." Gotta love
>>Congress, eh?
>>
>>
>>
>>http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:
>>
>>`(g) ENCRYPTION RESEARCH-
>>
>>`(1) DEFINITIONS- For purposes of this subsection--
>>
>>`(A) the term `encryption research' means activities necessary to
>>identify and analyze flaws and vulnerabilities of encryption
>>technologies applied to copyrighted works, if these activities are
>>conducted to advance the state of knowledge in the field of encryption
>>technology or to assist in the development of encryption products; and
>>
>>`(B) the term `encryption technology' means the scrambling and
>>descrambling of information using mathematical formulas or algorithms.
>>
>>`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the
>>provisions of subsection (a)(1)(A), it is not a violation of that
>>subsection for a person to circumvent a technological measure as
>>applied to a copy, phonorecord, performance, or display of a published
>>work in the course of an act of good faith encryption research if--
>>
>>`(A) the person lawfully obtained the encrypted copy, phonorecord,
>>performance, or display of the published work;
>>
>>`(B) such act is necessary to conduct such encryption research;
>>
>>`(C) the person made a good faith effort to obtain authorization
>>before the circumvention; and
>>
>>`(D) such act does not constitute infringement under this title or a
>>violation of applicable law other than this section, including section
>>1030 of title 18 and those provisions of title 18 amended by the
>>Computer Fraud and Abuse Act of 1986.
>>
>>`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person
>>qualifies for the exemption under paragraph (2), the factors to be
>>considered shall include--
>>
>>`(A) whether the information derived from the encryption research was
>>disseminated, and if so, whether it was disseminated in a manner
>>reasonably calculated to advance the state of knowledge or development
>>of encryption technology, versus whether it was disseminated in a
>>manner that facilitates infringement under this title or a violation
>>of applicable law other than this section, including a violation of
>>privacy or breach of security;
>>
>>`(B) whether the person is engaged in a legitimate course of study, is
>>employed, or is appropriately trained or experienced, in the field of
>>encryption technology; and
>>
>>`(C) whether the person provides the copyright owner of the work to
>>which the technological measure is applied with notice of the findings
>>and documentation of the research, and the time when such notice is
>>provided.
>>
>>`(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES-
>>Notwithstanding the provisions of subsection (a)(2), it is not a
>>violation of that subsection for a person to--
>>
>>`(A) develop and employ technological means to circumvent a
>>technological measure for the sole purpose of that person performing
>>the acts of good faith encryption research described in paragraph (2);
>>and
>>
>>`(B) provide the technological means to another person with whom he or
>>she is working collaboratively for the purpose of conducting the acts
>>of good faith encryption research described in paragraph (2) or for
>>the purpose of having that other person verify his or her acts of good
>>faith encryption research described in paragraph (2).





More information about the cypherpunks-legacy mailing list