Debunking DMCA myths

WASHINGTON--Should researchers really be so worried about the much-reviled Digital Millennium Copyright Act?

If you believe the buzz, you'll conclude that programmers, academics and engineers should be scared witless about being sued under the DMCA. In effect for nearly two years, the law sets protections for the codes that are wrapped around certain copyrighted content such as DVDs and electronic books.

An attorney for the Computing Research Association, representing the computer science departments of some 200 universities, claims that "professors are afraid to study information systems or to publish their research." One researcher in the Netherlands announced that, because of the DMCA, he would not reveal his analysis of Intel's digital video system. Edward Felten, a computer scientist at Princeton University, and his colleagues postponed a presentation of their co-authored paper for four months after receiving DMCA threats.

Because some of his co-authors' employers nixed the presentation, Felten's delay is understandable. However, the fears of legal action may not all be justified.

Don't get me wrong. The DMCA is both an egregious law and a brazen power grab by Hollywood, the music industry and software companies. It is probably unconstitutional. It creates unnecessary federal crimes, cedes too much authority to copyright holders, and should be unceremoniously tossed out by the courts. (As a bonus, perhaps we could horsewhip its many fans in Congress.)

If activists hope to assail a law like the DMCA, they'll be taken more seriously if they know what they're talking about.

Even so, not all execrable laws are equally loathsome. A careful look at the DMCA shows that, far from prohibiting all security research, the law does not regulate as many activities as people seem to believe. And if activists hope to assail a law like the DMCA, they'll be taken more seriously if they know what they're talking about.

"The risk that a researcher could go to jail for giving a speech at an academic conference is essentially zero," says Orin Kerr, a law professor at George Washington University and a former prosecutor for the Justice Department. In fact, Kerr says, it makes sense to take opponents' claims about the scope of the copyright law with a grain of salt.

"Opponents of the DMCA want to dramatize its effects, so they want people to believe that the law is incredibly broad," Kerr says. "If the public believes that the DMCA is stopping Professor Felten and other researchers from conducting legitimate research, then that is a major victory for opponents of the law."

The fine print
Start with the text of the DMCA itself. It says, "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device (or) component" that is primarily designed to bypass copy-protection technology. Note it does not explicitly prohibit research or published work, and in fact the DMCA explicitly includes limited exemptions for encryption research and reverse-engineering.

Actual violations of the DMCA can be punished with a civil suit for damages or, if done for commercial gain, prosecuted as criminal acts. The Justice Department indicted Dmitry Sklyarov because his employer, ElcomSoft, sold an e-book decoder that he helped to create, triggering the DMCA's criminal penalties.

By contrast, in a legal opinion, the Justice Department stressed that the paper co-authored by Felten provided zero grounds for criminal prosecution. The government even lauded the work as "designed and published to further scientific research."

On the other hand, it's conceivable that the DMCA permits a civil suit against an academic report that includes source code or object code. A company seeking to sue a researcher could argue that the DMCA covers such an act, as eight movie studios did when successfully suing the magazine 2600 for distributing a DVD-descrambling utility.

But R. Polk Wagner, who teaches intellectual property law at the University of Pennsylvania, thinks that a lawsuit sparked by a paper or presentation would be "a really long stretch."

"I don't think there was ever a realistic chance that Felten would have been liable, and I think all parties knew it from the beginning," Wagner says.

In a report accompanying the DMCA, Congress stressed that research could not be targeted: "The committee believes it is very important to emphasize that (this section) is aimed fundamentally at outlawing so-called 'black boxes' that are expressly intended to facilitate circumvention of technological protection measures for purposes of gaining access to a work."

Code-free zones
If published research does not include working code--which is a vital part of research--the odds of a successful lawsuit rapidly approach zero.

If published research does not include working code, the odds of a successful lawsuit rapidly approach zero.

Peter Jaszi, a law professor at American University, is an ardent DMCA foe who worked to defeat the bill when Congress was considering it. While there are no guarantees, Jaszi says, "it's a bigger reach to say that describing the process by which some kind of hack might be accomplished without providing any kind of code is covered."

So if English-language descriptions of security flaws are permissible, what explains the near-constant state of jitters among security researchers nowadays? (It can't just be Hewlett-Packard's quickly abandoned DMCA threats against security researchers.)

One explanation is an unreasonable fear of the law. Citing DMCA fears, TiVo asked people to stop posting information about how to copy video off the device onto another machine--even though its legal liability is nonexistent. Dug Song, a security expert at network-protection company Arbor Networks, even took his personal Web site offline. For a while, the Institute of Electrical and Electronics Engineers required authors writing for its science journals to certify that their papers were DMCA violation-free--until cooler minds prevailed and IEEE recanted.

Exaggerated threats
Another explanation is overly aggressive advocacy by groups like the Electronic Frontier Foundation, which represented Felten. "They succeeded in creating a kind of chilling effect in the scientific community because of the kind of fear-mongering they were engaged in," says Allan Adler, vice president at the Association of American Publishers (AAP).

Adler says that because the AAP represents corporations and universities that publish books of computer code, the organization has every reason to worry about restrictions on distributing technical information. Among the AAP's members are MIT Press, Princeton University Press and Stanford University Press. McGraw-Hill, which publishes books such as "C: The Complete Reference," filled with programming examples, is another.

But, Adler says, the AAP isn't concerned about the DMCA. "Such a reading of the statute (to include restrictions on research) is a clear stretch given its constitutional implications and the absence of any supporting legislative history. Moreover, it is a stretch that would not have been lightly countenanced by ardent First Amendment advocates in the publishing industry."

The Register's Thomas Greene put it more bluntly. A recent DMCA alert, Greene said, was a "nonissue which EFF inflated into gargantuan proportions."

For its part, the EFF points to the potential chilling effect of even unfounded DMCA threats, saying that "nastygrams" can halt a lot of legal acts--and most people are not willing to risk being right at the cost of civil fines that swallow their kids' college funds.

"Not every grad student or even professor is going to have easy access to free counsel who can provide a counterweight to the university lawyers," says Lee Tien, an EFF staff attorney. "Even if the paper were published, was it somehow bowdlerized? This is corrosive to scientific discourse."

Any type of publishing carries risks, including possible suits for libel, copyright infringement or invasion of privacy. Security research is no different. Before self-censoring, a researcher should make a sober evaluation of which allegations are likely to stick and show courage by not bowing to spurious threats. Back in 1977, cryptographers Ron Rivest, Adi Shamir and Len Adleman, and lawyers at MIT showed commendable mettle when standing up to threats from the National Security Agency related to their encryption research.

Luckily for them, the threat from the government soon faded. But because the DMCA has not yet been wielded in a court battle against a researcher, anxieties remain.

University of Pennsylvania professor Wagner says that's likely to remain the case for a while: "Copyright owners will kill two birds with one stone by expressing support for good-faith, serious research. It's good PR, and maintains the helpful--to them--vagueness of the current state of the law. I see an uneasy truce in our future."