Tech Industry

Rethinking the DMCA

At its inception, many people called it a lousy law. CNET News.com's Charles Cooper says that proved to be too charitable an appraisal.

Time and again since its 1998 passage, the Digital Millennium Copyright Act has proved to be one of the worst-ever pieces of technology legislation.

By now, nearly every sentient being in Silicon Valley must wonder why Congress couldn't have done a better job thinking through the implications of its handicraft before voting the DMCA into law. The act has been responsible for needless litigation and even transmogrified into something of a gag on free expression. More about that in a moment.

I suppose it's a pipe dream to have hoped for a dramatically better outcome. Washington knows who butters its bread, and the power of corporate interest decides the day on Capitol Hill when big stakes are involved. Big stakes and big bucks.

So it was that Congress bowed to the copyright industry's demands and created a marvelously one-sided document. By making it illegal to circumvent technology used by the copyright industries to protect digital content, legislators took care of a key constituency. But they also created an invitation to trouble.

With no clear boundaries and very little legal precedent, the predictable result has been a messy conflict between the public and the moneyed interests. And that's where we are now with the specter of the DMCA, like Marley's Ghost, rising up to chill the spirit of free inquiry when it comes to encryption and computer security research.

Some of the more memorable dustups over the years:

The specter of the DMCA, like Marley's Ghost, rises up to chill the spirit of free inquiry.

• 2001: Princeton University professor Edward Felten received a letter from the Recording Industry Association of America pressuring him not to publish a paper outlining the weaknesses in the industry's technologies for protecting digital music. (The industry later backed down.)

• 2002: Adobe assisted U.S. authorities suing Moscow-based ElcomSoft for creating a program that exploited flaws in Adobe's e-book format. A trial ended in acquittal when jurors concluded ElcomSoft didn't mean to violate the law, even though they agreed the company's product was illegal.

• 2002: Hewlett-Packard sent legal notices to Secure Network Operations after flaw researchers published details of a vulnerability in HP's Tru64 operating system. HP subsequently backed down, but the point was made: Step out of line, and we'll throw the book at you.

• 2003: In an extreme example of the application of the DMCA, an Illinois-based manufacturer of garage-door openers claimed that a rival's replacement product violated copyright law. A federal court later dismissed the lawsuit.

I don't know if this was in many people's minds at the time of the law's passage, but the DMCA also gave software publishers a handy legal club to brandish whenever they believed their intellectual property was being put at risk.

It's no longer just a question of publishing flaw details against a publisher's wishes. It's risking a jail sentence.

Late last year a researcher in the United Kingdom ignited Sybase's ire after discovering vulnerabilities in the company's software. Security company Next-Generation Security Software was ready to publish the findings. But then Sybase's lawyers let it be known they would consider that to be a breach of Sybase's software license agreement. Publishing plans got put on hold until this week, when the two sides finally sorted things out.

CEO John Chen told me it never came down to Sybase using the DMCA as a legal cudgel. "Look, my product is better because of them," he said. Chen claims Sybase simply wanted more time to first inform its clients there was a patch. "I wanted to let them get up to speed, and then if you want to publish, I'll endorse that," he said. Sybase finally reversed course and decided this week not to sue.

Fair enough. But how long before Sybase or some other company again finds itself in a similar spot but this time can't--or won't--work out a compromise? The fact is that it's open season on vulnerability researchers, and the DMCA is the legal equivalent of a barrel of buckshot.

The disconnect is that these folks are getting nailed for doing their job. It's no longer just a question of publishing flaw details against a publisher's wishes. It's risking a jail sentence.

So far the courts have ruled for the defense in the DMCA-related arguments brought before them. But winning strings eventually get snapped. Sometime soon, code researchers may need to decide whether they are ready to martyr themselves for the cause of free speech.