Re: can a random number be subject to a takedown?

2007-05-04 Thread David G. Koontz
Hal Finney wrote:
 My question to the assembled: are cryptographic keys really subject to
 DMCA subject to takedown requests? I suspect they are not
 copyrightable under the criterion from the phone directory
 precedent.
 
 A sample demand letter from the AACS Licensing Authority appears at:
 
 http://www.chillingeffects.org/notice.cgi?sID=03218
 
From what I can see, there is no claim that the key is copyrighted.
 Rather, the letter refers to the provisions of the DMCA which govern
 circumvention of technological protection measures.  It demands that
 the key be taken down in order to avoid legal liability.
 
 This seems odd to me because my understanding of the DMCA's
 anti-circumvention provisions is that they are criminal rather than civil
 law.  Violations would lead to charges from legal authority and not from a
 copyright owner.  So it's not clear that AACSLA has any power to enforce
 these demands, other than trying to get some government agency involved.
 
 The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
 here:
 
 http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2
 

From an explanation of the justification for the take down notices:
http://www.out-law.com/page-8022

  Fred von Lohman, an attorney at the Electronic Frontier Foundation,
  said in his blog that sites which carry the code or links to it are
  unlikely to be able to use a traditional defence of 'safe harbor'.

  While no court has ruled on the issue, AACS will almost certainly
  argue that the DMCA safe harbors do not protect online service
  providers who host or link to the key, he said. The DMCA safe
  harbors apply to liabilities arising from 'infringement of copyright.'
  Several courts have suggested that trafficking in circumvention tools
  is not 'copyright infringement,' but a separate violation of a
  'para-copyright' provision.

  The AACS takedown letter is not claiming that the key is
  copyrightable, but rather that it is (or is a component of) a
  circumvention technology, said von Lohman. The DMCA does not require
  that a circumvention technology be, itself, copyrightable to enjoy
  protection.

One would think that the recent SCOTUS findings in Microsoft v. ATT
would demonstrate that intangibiles such as software (and perhaps large
integers) were not components or parts thereof, unless in place in a
device:

http://www.webster.com/cgi-bin/dictionary?sourceid=Mozilla-searchva=device

  f : a piece of equipment or a mechanism designed to serve a special
  purpose or perform a special function an electronic device

From http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2

17 USC 1201:

  (b) Additional Violations. -

  (1) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product,
service, device, component, or part thereof, that -

 o (A) is primarily designed or produced for the purpose of
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof;
 o (B) has only limited commercially significant purpose or use
other than to circumvent protection afforded by a
technological measure that effectively protects a right of a
copyright owner under this title in a work or a portion
thereof; or
 o (C) is marketed by that person or another acting in concert
with that person with that person's knowledge for use in
circumventing protection afforded by a technological measure
that effectively protects a right of a copyright owner under
this title in a work or a portion thereof.


I'd strongly suspect that most if not all of the 2 million hits would
not reveal another acting in concert with that person's knowledge.
While this instance is not indicative of a trend to the lawyer
equivalent of judicial activism, I don't see any protection under the
DMCA against distributing the Processing Keys as what appears to be a
political statement (which could be held to be protected speech).

(IANAL)

Freds blog entry:  http://www.eff.org/deeplinks/archives/005229.php




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: can a random number be subject to a takedown?

2007-05-02 Thread Dave Korn
On 01 May 2007 22:33, Jon Callas wrote:

 On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:

 unsigned char* guess_key(void)
 {
  unsigned
  char key[] = {0x0a, 0xFa, 0x12, 0x03,
0xD9, 0x42, 0x57, 0xC6,
0x9E, 0x75, 0xE4, 0x5C,
0x64, 0x57, 0x89, 0xC1};
 
  return key;
 }
 
 (Or it would if I'd put the actual AACS key in there.)

  Heh, that's a bit like the old issue of whether you can publish an OTP that
has certain interesting properties when used to en/decrypt some other public
domain information.

  See also http://preview.tinyurl.com/3dcse6 
   http://preview.tinyurl.com/2d3hm3
   http://preview.tinyurl.com/2ey2mj

for more variations on this theme.  Wonder if you can issue a take-down notice
for a 301 redirect?

cheers,
  DaveK
-- 
Can't think of a witty .sigline today

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


can a random number be subject to a takedown?

2007-05-01 Thread Perry E. Metzger

A lot of sites have been getting DMCA takedowns for the HD-DVD
processing key that got leaked recently.

My question to the assembled: are cryptographic keys really subject to
DMCA subject to takedown requests? I suspect they are not
copyrightable under the criterion from the phone directory
precedent.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-01 Thread Hal Finney
 My question to the assembled: are cryptographic keys really subject to
 DMCA subject to takedown requests? I suspect they are not
 copyrightable under the criterion from the phone directory
 precedent.

A sample demand letter from the AACS Licensing Authority appears at:

http://www.chillingeffects.org/notice.cgi?sID=03218

From what I can see, there is no claim that the key is copyrighted.
Rather, the letter refers to the provisions of the DMCA which govern
circumvention of technological protection measures.  It demands that
the key be taken down in order to avoid legal liability.

This seems odd to me because my understanding of the DMCA's
anti-circumvention provisions is that they are criminal rather than civil
law.  Violations would lead to charges from legal authority and not from a
copyright owner.  So it's not clear that AACSLA has any power to enforce
these demands, other than trying to get some government agency involved.

The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
here:

http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-01 Thread lists

 A lot of sites have been getting DMCA takedowns for the HD-DVD
 processing key that got leaked recently.

 My question to the assembled: are cryptographic keys really subject to
 DMCA subject to takedown requests? I suspect they are not
 copyrightable under the criterion from the phone directory
 precedent.

I'm as far from being a copyright lowyer as most of you.
http://www.dilbert.com/comics/pearls/archive/images/pearls2007042261849.jpg

I suppose that we mean a randomly-generated number, rather than a random 
number.
Then the production process would not be creative as expected for direct 
copyright
and you'd be right that it can't be copyrighted.

As far as the DMCA is concerned I think this is a paracopyright issue - the
(alleged) significance of the number in relation to HD-DVD would make it a
circumvention tool and therefore subject to takedowns.  I don't know whether an
alternative legitimate use is a defence, but you might have a job finding such
a thing for a randomly-generated number (as opposed to something more structured
like Netscape engineers are weenies.).

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-01 Thread Perry E. Metzger

[EMAIL PROTECTED] (Hal Finney) writes:
 A sample demand letter from the AACS Licensing Authority appears at:

 http://www.chillingeffects.org/notice.cgi?sID=03218

From what I can see, there is no claim that the key is copyrighted.
 Rather, the letter refers to the provisions of the DMCA which govern
 circumvention of technological protection measures.  It demands that
 the key be taken down in order to avoid legal liability.

However, a 128 bit number is not a circumvention tool, any more than
an explanation of how AACS can be attacked is a circumvention tool. A
circumvention tool would have to be something like a program or a
device that would permit circumvention, not mere description of
one. Source code to a circumvention tool is probably a sticky issue,
but the a 128 bit integer is not something you can then compile and
get a hacking tool out of.

Can one really consider publication of an integer to be circumvention?

 This seems odd to me because my understanding of the DMCA's
 anti-circumvention provisions is that they are criminal rather than civil
 law.  Violations would lead to charges from legal authority and not from a
 copyright owner.  So it's not clear that AACSLA has any power to enforce
 these demands, other than trying to get some government agency involved.

That would indeed seem to be the case from me as well. Takedown
notices are only for copyrighted material. This is not per se a
standard takedown notice.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-01 Thread James S. Tyre

At 05:04 PM 5/1/2007 -0400, Perry E. Metzger wrote:


[EMAIL PROTECTED] (Hal Finney) writes:
 A sample demand letter from the AACS Licensing Authority appears at:

 http://www.chillingeffects.org/notice.cgi?sID=03218


...


 This seems odd to me because my understanding of the DMCA's
 anti-circumvention provisions is that they are criminal rather than civil
 law.  Violations would lead to charges from legal authority and not from a
 copyright owner.  So it's not clear that AACSLA has any power to enforce
 these demands, other than trying to get some government agency involved.

That would indeed seem to be the case from me as well. Takedown
notices are only for copyrighted material. This is not per se a
standard takedown notice.



It isn't a standard 17 USC 512(c)(3) takedown notice, it is a 
non-statutory notice advising Google of possible liability if the 
allegedly offending sites aren't taken down.


Without getting into a lengthy discussion of whether this is a 
violation of the DMCA anti-circumvention provisions, alleged 
violations certainly can be pursued in civil court as well as 
criminal court.  The semi-infamous 2600 case, involving the posting 
of DeCSS to many sites, was a civil case.  Court of Appeals Opinion 
at 
http://www.eff.org/IP/Video/MPAA_DVD_cases/?f=20011128_ny_appeal_decision.html. 




James S. Tyre  [EMAIL PROTECTED]
Law Offices of James S. Tyre  310-839-4114/310-839-4602(fax)
10736 Jefferson Blvd., #512   Culver City, CA 90230-4969
Co-founder, The Censorware Project http://censorware.net
Policy Fellow, Electronic Frontier Foundation http://www.eff.org

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: can a random number be subject to a takedown?

2007-05-01 Thread Jon Callas


On May 1, 2007, at 12:53 PM, Perry E. Metzger wrote:



A lot of sites have been getting DMCA takedowns for the HD-DVD
processing key that got leaked recently.

My question to the assembled: are cryptographic keys really subject to
DMCA subject to takedown requests? I suspect they are not
copyrightable under the criterion from the phone directory
precedent.


My tongue is slightly in my cheek as I say this: once a random number  
is known, it's not random any more. An idealized property of random  
numbers like keys is that there be no algorithm for producing it that  
is better than guessing. I can presently guess this key with  
probability greater than 2^-128 using this algorithm in a C-like  
pseudocode:


unsigned char* guess_key(void)
{
unsigned
char key[] = {0x0a, 0xFa, 0x12, 0x03,
  0xD9, 0x42, 0x57, 0xC6,
  0x9E, 0x75, 0xE4, 0x5C,
  0x64, 0x57, 0x89, 0xC1};

return key;
}

(Or it would if I'd put the actual AACS key in there.)

The question is if a *specific* key can be taken down. This is open  
to argument, because the DMCA only applies to things that are  
copyrightable, and one can argue that keys are not copyrightable  
convincingly. (Sketch of argument: if keys were copyrightable then I  
could copyright a list of all keys. I can't copyright a database, or  
even a phone book, so the notion that I could copyright a list of all  
numbers in the set [0..N] is absurd.)


As far as anti-circumvention goes, keys themselves can't be used for  
circumvention. Assuming that the above were the AACS key, I couldn't  
use it to circumvent because I don't know the right protocol to use.  
Consider another scenario: one can use a brick to smash a window, but  
possessing a brick does not mean you've broken windows. If I have a  
proper key, but no software, I am not capable of circumventing.  
Likewise, if I had software that could do the crypto, but no key, I'm  
not capable. It is only if I have both the software and the key that  
I have something that *might* be a circumvention device. Even things  
that might be circumvention devices are not always. The test in the  
DMCA is if its primary purpose is for circumvention. This is why  
debuggers are not circumvention devices. It is only when you use the  
potential circumvention device to circumvent that you've done the  
equivalent of throwing the brick through the window.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]