At 5:16 PM -0500 1/21/02, Will Rodger wrote: >Arnold says: > >>You can presumably write your own programs to decrypt your own >>files. But if you provide that service to someone else you could >>run afoul of the law as I read it. The DMCA prohibits trafficking >>in technology that can be used to circumvent technological >>protection measures. There is no language requiring proof than >>anyone's copyright was violated. Traffic for hire and it's a >>felony. > >I think there's a good argument to the contrary. > >The DMCA only bans trafficking in devices whose _primary_ purpose is >infringement.
No, DMCA bans trafficking in devices whose primary purpose is *circumvention.* I'm not trying to nit pick, it's an important point. DMCA creates a whole new class of proscribed activity, circumvention, that does not require proof of infringement. As for the phrase "primary purpose," I can easily see a judge accepting the argument that the primary purpose of a tool that breaks encryption is circumvention as defined in this act. In the 2600 case, the defense argued that DeCSS was also useful for playing purchased DVDs on Linux machines and for fair use. The courts dismissed this argument. >And it only applies to works "protected by this Title," that is, >Title 17, which is the collection of laws pertaining to copyright. Right, but just about everything written today is copyrighted from the moment of creation. You have to go out of your way (or work for the U.S. government) to place new works in the public domain. > >There was a very long, drawn out discussion of what would be banned >and what not before passage. It included all sorts of people >traipsing up to Capitol Hill to make sure that ordinary research and >system maintenance, among other things, would not be prosecuted. >Bruce Schneier was among those who talked to the committees and was >satisfied, as I recall, that crypto had dodged a bullet. I'm not >saying that Bruce liked the bill, just that this particular fear was >lessened greatly, if not eliminated, by the language that finally >emerged. I've heard that story as well. I don't know if he saw the final language, how long he had to study it or what he based that opinion on. Maybe there is some statement in the legislative history, which is only what the legislators said about the bill, that might be helpful in court. Absent that, we have to rely on what the law actually says. Bruce's opinion of what the law means would carry no weight in court. > >>Now a prosecutor probably wouldn't pursue the case of a >>cryptographer who decoded messages on behalf of parents of some kid >>involved in drugs or sex abuse. But what if the cryptographer was >>told that and the data turned out to be someone else's? Or if the >>kid was e-mailing a counselor about abuse by his parents? Or the >>government really didn't like the cryptographer because of his >>political views? > >It all gets down to knowingly doing something, right? If our >cryptographer acted in good faith, he wouldn't be prosecuted -- the >person who set him up would be. I see nothing in the law that exempts you from liability if you didn't know you acted without authorization of the copyright holder. There is a provision, 1203(c)(5), that lets a court reduce reducing civil damages if you didn't know. That presumably does not apply to the criminal provisions and prosecutors are notorious for doing whatever it takes if they want to get someone. See, for example http://www.nytimes.com/2002/01/21/nyregion/21CLEA.html > > >>There is also the argument that Congress only intended to cover >>tools for breaking content protections schemes like CSS and never >>intended to cover general cryptanalysis. You might win with that >>argument in court (I think you should), but expect a 7 digit legal >>bill. And if you lose, we'll put up a "Free Will" web site. > >No argument there! > >>>>As for the legal situation before the DMCA, the Supreme Court >>>>issued a ruling last year in a case, Barniki v. Volper, of a >>>>journalist who broadcast a tape he received of an illegally >>>>intercepted cell phone conversation between two labor organizers. >>>>The court ruled that the broadcast was permissible. >>> >>>The journalist received the information from a source gratis. >>>That's different from paying for stolen goods, hiring someone to >>>eavesdrop, or breaking the law yourself. The First Amendment >>>covers a lot, in this case. >> >>Correct. The Barniki opinion pointed out that the journalists were >>not responsible for the interception. But journalists receive >>purloined data from whistle-blowers all the time. Suppose in the >>future it was one of those e-mail messages with a cryptographically >>enforced expiration date? A journalist who broke that system might >>be sued under DMCA. That possibility might not frighten the WSJ, >>but what about smaller news organizations? > > >Fair enough. But what would the damages under copyright law be? They >generally correspond to a harm in the market for a certain kind of >information. I don't see a value for a single email on the open >market except as a trade secret, say. But then you're back into >First Amendment territory, as well as the vagaries of state >trade-secret laws (There's no such thing in federal law). One of the >failings of the federal law is that it does give unethical people >room to tie up the courts. Nothing new there... Again, there is this new offence called circumvention. You don't need to prove infringement or trade secrets. There are statutory damages (1203(c)(3)(A)), $200 to $2500 per act of circumvention "as the court considers just," plus you can be assessed the legal expenses of the other side. But the real kicker is that circumvention for hire is a felony. > > >>>>So the stolen property argument you give might not hold. The >>>>change wrought by the DMCA is that it makes trafficking in the >>>>tools needed to get at encrypted data, regardless whether one has >>>>a right to (there is an exemption for law enforcement) unlawful. >>> >>>There's language governing that in the statute. Trafficking in >>>tools specifically designed to break a given form of copy >>>protection is one thing. The continued availability of legal tools >>>for cryptanalysis and legitimate password cracking is another. As >>>bad as the DMCA is, it's not _that_ bad. >Arnold replied: > >>I've read the statute very carefully and I never found such >>language. (You can read my analysis at >>http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's >>certainly possible that I overlooked something. Perhaps you could >>cite the language you are referring to? > >Sure. > >In Section 1204, we see reference to "works protected by this >title." The DMCA as enacted is part of Title 17, which is >specifically copyright laws. Copyright law in the US gives a person >access to his own work >and also allows for fair use _as defined by the courts_. >Pro-consumer types failed to get language reminding the reader that >fair use still applied. Drafters argued that would have been >redundant. See ulterior motives here, if you want. Ulterior motives or no, it's not in the law. Judge Kaplan and the Court of Appeals for the 2nd Circuit flatly rejected fair use arguments in the 2600 case. The 2nd Circuit wrote "Fair use has never been held to be a guarantee of access to copyrighted material in order to copy by the fair user's preferred technique or in the format of the original." > >Anyway, the DMCA as enacted (with my emphasis in caps) says in >Chapter 12, Sec. 1204: > >‘‘(2) No person shall manufacture, import, offer to the public, >provide, or otherwise traffic in any technology, product, service, >device, component, or part thereof, that— > >‘‘(A) is PRIMARILY designed or produced for the purpose of >circumventing a technological measure that effectively controls >access to a work PROTECTED UNDER THIS TITLE; Again just about any work produced today is copyrighted and therefore protected under this title. > >‘‘(B) has only limited commercially significant purpose or use other >than to circumvent a technological measure that effectively controls >access to a work protected under this title; or > >‘‘(C) is marketed by that person or another acting in concert with >that person with that person’s knowledge for use in circumventing a >technological measure that effectively controls access to a work >protected under this title." > >All those references to works protected under this title do nothing >to keep you from getting at your own stuff. The rest of the language >also tells you if you want to use a copy of Crack to get to some of >your own system files, well, go ahead. I agree that you can get at your own work. I said you might be over the line if you help someone else get at their stuff, especially if you get paid for it. In drafting this reply, I found a footnote (14) in the Second Circuit's 2600 opinion that suggests such assistance *is* permissible: "When read together with the anti-trafficking provisions, subsection 1201(a)(3)(A) frees an individual to traffic in encryption technology designed or marketed to circumvent an encryption measure if the owner of the material protected by the encryption measure authorizes that circumvention." I am not a lawyer, but I think this might be considered "dicta," statements in a court opinion that are not necessary to the decision, and lack binding precedential value. There is also the question of what "owner" means. Still, it is encouraging. >Now, you're probably thinking "ah hah! He didn't clear up the >problems with the 'primary purpose' stuff." But not quite. We have a >right to use our VCRs today because a court has already ruled that a >VCR's primary purpose is not piracy. So far, the courts have >understood "primary purpose" to mean "This purpose and pretty much >no other." As I pointed out above, other uses arguments have not gotten anywhere in court to date with respect to DMCA. >Can we quibble about this? Absolutely. But I haven't heard anyone >come up with a good way of saying that your system maintenance tools >are legitimate, except to say that they are primarily _not_ for >breaking in to others' machines. Still, who uses sniffers more, sys >admins or the bad guys? I bet the latter, on any given day. DMCA is much more broadly written than 18 USC 1030, which deals with breaking into others' machines. > >All that said, one would still want some language making clear that >what researchers do is OK. The statute does it, more or less, >through provisions for research in Chapter 12, Sec. 1201: I would say less. See my comments below and my amicus brief http://world.std.com/~reinhold/DeCSSamicusbrief.html, which the Second Circuit ignored. > >‘‘(g) ENCRYPTION RESEARCH.— > >‘‘(1) DEFINITIONS.—For purposes of this subsection— > >‘‘(A) the term ‘encryption research’ means activities necessary to >identify and analyze flaws and vulnerabilities of encryption >technologies applied to copyrighted works, if these activities are >conducted to advance the state of knowledge in the field of >encryption technology or to assist in the development of encryption >products; and This applies to research, not other uses of cryptoanalytic technology. > >‘‘(B) the term ‘encryption technology’ means the scrambling and >descrambling of information using mathematical formulas or >algorithms. > > >‘‘(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.—Notwithstanding the >provisions of subsection (a)(1)(A), it is not a violation of that >subsection for a person to circumvent a technological measure as >applied to a copy, phonorecord, performance, or display of a >published work in the course of an act of good faith encryption >research if— > >‘‘(A) the person lawfully obtained the encrypted copy, phonorecord, >performance, or display of the published work; Save that receipt. > >‘‘(B) such act is necessary to conduct such encryption research; The judge is looking over your shoulder. > >‘‘(C) the person made a good faith effort to obtain authorization >before the circumvention; and You have to ask permission and expose your self to possible legal action. Has anyone here actually tried to get permission from a copyright owner to attempt to break encryption? > >‘‘(D) such act does not constitute infringement under this title or >a violation of applicable law other than this section, including >section 1030 of title 18 and those provisions of title 18 amended by >the Computer Fraud and Abuse Act of 1986. > >‘‘(3) FACTORS IN DETERMINING EXEMPTION.—In determining whether a >person qualifies for the exemption under paragraph (2), the factors >to be considered shall include— The phrase "factors to be considered" means each situation requires a separate, time consuming and expensive determination by a court. > >‘‘(A) whether the information derived from the encryption research >was disseminated, and if so, whether it was disseminated in a manner >reasonably calculated to advance the state of knowledge or >development of encryption technology, versus whether it was >disseminated in a manner that facilitates infringement under this >title or a violation of applicable law other than this section, >including a violation of privacy or breach of security; If you publish too many details, you may lose your research exemption. > >‘‘(B) whether the person is engaged in a legitimate course of study, >is employed, or is appropriately trained or experienced, in the >field of encryption technology; and I trust everyone's credentials are in order. > >‘‘(C) whether the person provides the copyright owner of the work to >which the technological measure is applied with notice of the >findings and documentation of the research, and the time when such >notice is provided. You have to give them another opportunity to sue before you publish. >‘‘(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES. >—Notwithstanding the provisions of subsection (a)(2), it is not a >violation of that subsection for a person to— > >‘‘(A) develop and employ technological means to circumvent a >technological measure for the sole purpose of that person performing >the acts of good faith encryption research described in paragraph >(2); and > >‘‘(B) provide the technological means to another person with whom he >or she is working collaboratively for the purpose of conducting the >acts of good faith encryption research described in paragraph (2) or >for the purpose of having that other person verify his or her acts >of good faith encryption research described in paragraph (2)." Not that there is nothing in the above two paragraphs that permits one to *publish* the results of the research. > >Note that all this leaves Ed Felten's recent work in the clear. It >also explains why the RIAA soiled its legal briefs when faced with >_his_ lawyers in court. Felton was threatened for attempting to publish his work, not for doing the research. Again, there is no language in the law that authorizes publication. I don't know what the RIAA was thinking, but they were on shaky First Amendment grounds and probably did not want to lose an early test of the law. If the law is upheld elsewhere, they may get bolder. > >------------------------- > ><Phew!> > >OK. so that's my rap on why this law is bad but won't likely put >anyone on this list in jail. The biggest problem, I think, is not >its prohibitions but the legal cudgel it gives to certain people who >would like to silence others. > >If this is the looming disaster many of us feared (I'm talking about >stuff much worse than the DeCSS cases here) it should have fallen on >us by now. The fact that it hasn't gives me hope. Maybe I'm just too >naive! > >Will I agree with you that the law ought not to apply to ordinary cryptographic activity and that it should be unconstitutional if it does. But the law can be read the other way and it has survived unscathed so far. Add to that the post Sept 11 attitude of accepting greater restrictions on personal liberty and the likelihood of further incidents of alleged crypto use by terrorists, drug dealers and pornographers, and I think there is a real danger that it may be used against cryptographers. The Second Circuit's 2600 ruling is particularly troublesome in this regard since it allows software to be proscribed based on the functional effect it can have on computer systems, not withstanding the fact that it is speech. If that ruling is upheld, we might see the enemies of open cryptography become more aggressive. I'm not suggesting that anyone panic or stop their research and publication. But people should be aware of the risk, get competent legal advice and at least take care to document in writing situations where they believe they are breaking encryption systems with the owner's permission. Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]