Arnold says:
>You can presumably write your own programs to decrypt your own files. But >if you provide that service to someone else you could run afoul of the law >as I read it. The DMCA prohibits trafficking in technology that can be >used to circumvent technological protection measures. There is no language >requiring proof than anyone's copyright was violated. Traffic for hire >and it's a felony. I think there's a good argument to the contrary. The DMCA only bans trafficking in devices whose _primary_ purpose is infringement. And it only applies to works "protected by this Title," that is, Title 17, which is the collection of laws pertaining to copyright. There was a very long, drawn out discussion of what would be banned and what not before passage. It included all sorts of people traipsing up to Capitol Hill to make sure that ordinary research and system maintenance, among other things, would not be prosecuted. Bruce Schneier was among those who talked to the committees and was satisfied, as I recall, that crypto had dodged a bullet. I'm not saying that Bruce liked the bill, just that this particular fear was lessened greatly, if not eliminated, by the language that finally emerged. >Now a prosecutor probably wouldn't pursue the case of a cryptographer who >decoded messages on behalf of parents of some kid involved in drugs or sex >abuse. But what if the cryptographer was told that and the data turned out >to be someone else's? Or if the kid was e-mailing a counselor about abuse >by his parents? Or the government really didn't like the cryptographer >because of his political views? It all gets down to knowingly doing something, right? If our cryptographer acted in good faith, he wouldn't be prosecuted -- the person who set him up would be. >There is also the argument that Congress only intended to cover tools for >breaking content protections schemes like CSS and never intended to cover >general cryptanalysis. You might win with that argument in court (I >think you should), but expect a 7 digit legal bill. And if you lose, >we'll put up a "Free Will" web site. No argument there! >>>As for the legal situation before the DMCA, the Supreme Court issued a >>>ruling last year in a case, Barniki v. Volper, of a journalist who >>>broadcast a tape he received of an illegally intercepted cell phone >>>conversation between two labor organizers. The court ruled that the >>>broadcast was permissible. >> >>The journalist received the information from a source gratis. That's >>different from paying for stolen goods, hiring someone to eavesdrop, or >>breaking the law yourself. The First Amendment covers a lot, in this case. > >Correct. The Barniki opinion pointed out that the journalists were not >responsible for the interception. But journalists receive purloined data >from whistle-blowers all the time. Suppose in the future it was one of >those e-mail messages with a cryptographically enforced expiration date? A >journalist who broke that system might be sued under DMCA. That >possibility might not frighten the WSJ, but what about smaller news >organizations? Fair enough. But what would the damages under copyright law be? They generally correspond to a harm in the market for a certain kind of information. I don't see a value for a single email on the open market except as a trade secret, say. But then you're back into First Amendment territory, as well as the vagaries of state trade-secret laws (There's no such thing in federal law). One of the failings of the federal law is that it does give unethical people room to tie up the courts. Nothing new there... >>>So the stolen property argument you give might not hold. The change >>>wrought by the DMCA is that it makes trafficking in the tools needed to >>>get at encrypted data, regardless whether one has a right to (there is >>>an exemption for law enforcement) unlawful. >> >>There's language governing that in the statute. Trafficking in tools >>specifically designed to break a given form of copy protection is one >>thing. The continued availability of legal tools for cryptanalysis and >>legitimate password cracking is another. As bad as the DMCA is, it's not >>_that_ bad. Arnold replied: >I've read the statute very carefully and I never found such language. (You >can read my analysis at >http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's certainly >possible that I overlooked something. Perhaps you could cite the language >you are referring to? Sure. In Section 1204, we see reference to "works protected by this title." The DMCA as enacted is part of Title 17, which is specifically copyright laws. Copyright law in the US gives a person access to his own work and also allows for fair use _as defined by the courts_. Pro-consumer types failed to get language reminding the reader that fair use still applied. Drafters argued that would have been redundant. See ulterior motives here, if you want. Anyway, the DMCA as enacted (with my emphasis in caps) says in Chapter 12, Sec. 1204: ��(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that� ��(A) is PRIMARILY designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work PROTECTED UNDER THIS TITLE; ��(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or ��(C) is marketed by that person or another acting in concert with that person with that person�s knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title." All those references to works protected under this title do nothing to keep you from getting at your own stuff. The rest of the language also tells you if you want to use a copy of Crack to get to some of your own system files, well, go ahead. Now, you're probably thinking "ah hah! He didn't clear up the problems with the 'primary purpose' stuff." But not quite. We have a right to use our VCRs today because a court has already ruled that a VCR's primary purpose is not piracy. So far, the courts have understood "primary purpose" to mean "This purpose and pretty much no other." Can we quibble about this? Absolutely. But I haven't heard anyone come up with a good way of saying that your system maintenance tools are legitimate, except to say that they are primarily _not_ for breaking in to others' machines. Still, who uses sniffers more, sys admins or the bad guys? I bet the latter, on any given day. All that said, one would still want some language making clear that what researchers do is OK. The statute does it, more or less, through provisions for research in Chapter 12, Sec. 1201: ��(g) ENCRYPTION RESEARCH.� ��(1) DEFINITIONS.�For purposes of this subsection� ��(A) the term �encryption research� means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and ��(B) the term �encryption technology� means the scrambling and descrambling of information using mathematical formulas or algorithms. ��(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.�Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if� ��(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; ��(B) such act is necessary to conduct such encryption research; ��(C) the person made a good faith effort to obtain authorization before the circumvention; and ��(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. ��(3) FACTORS IN DETERMINING EXEMPTION.�In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include� ��(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; ��(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and ��(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided. ��(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES. �Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to� ��(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and ��(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2)." Note that all this leaves Ed Felten's recent work in the clear. It also explains why the RIAA soiled its legal briefs when faced with _his_ lawyers in court. ------------------------- <Phew!> OK. so that's my rap on why this law is bad but won't likely put anyone on this list in jail. The biggest problem, I think, is not its prohibitions but the legal cudgel it gives to certain people who would like to silence others. If this is the looming disaster many of us feared (I'm talking about stuff much worse than the DeCSS cases here) it should have fallen on us by now. The fact that it hasn't gives me hope. Maybe I'm just too naive! Will --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
