Security workers: Copyright law stifles

Along with the threatened lawsuit of Princeton computer-science professor Edward Felten, and the arrest of Russian encryption expert Dmitry Sklyarov, the incidents are the latest to point at what is quickly becoming a touchy environment for security experts.

"When they started to arrest people and threaten researchers, I decided the legal risk was not worth it," said Fred Cohen, a well-known security consultant and a professor of digital forensics, who took his evidence-gathering tool--dubbed Forensix--off his Web site earlier this week.

Dug Song, a security expert at network-protection company Arbor Networks, pulled his own site down in protest as well. Now the only text on the site, "Censored by the Digital Millennium Copyright Act," links to a DMCA protest site, Anti-DMCA.org.

And last month, fearing retribution, Dutch encryption expert Niels Ferguson refused to publish his discovery that Intel's encryption scheme for Firewire connections, known as the high-bandwidth digital content protection (HDCP) system, had a major flaw.

"I travel to the U.S. regularly, both for professional and for personal reasons," he said in an online statement. "I simply cannot afford to be sued or prosecuted in the U.S. I would go bankrupt paying for my lawyers."

Lawyers and proponents of the law argue that the response from the security community is at best a misinterpretation of the law and more likely protest veiled as legitimate fear.

"Some of the opponents of the DMCA are trying to resurrect this issue to get another day in court," said Robert Holleyman, president and CEO of the Business Software Alliance, the piracy-fighting organization that represents the lion's share of software companies. "Security testing is definitely permitted under the DMCA."

The DMCA, passed in 1998, prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights--even if their users don't do anything illegal once they've broken the security. Software makers, Hollywood and the music industry make up the core proponents of the law.

The BSA says such laws are necessary to head off software piracy, which the group estimates cost software companies $11 billion in lost revenue last year.

Yet, for many security researchers the question is whether stress-testing the security of software products and publicizing vulnerabilities and how they were taken advantage of violates the DMCA.

The Man bites watchdog?
"There are provisions in the law for certain security research," said Mark Smith, a network-security engineer and spokesman for Anti-DMCA.org, "but you shouldn't have to hire a lawyer to make sure you are not breaking a law."

That's a problem in an industry where a large number of security vulnerabilities are found by individuals and small groups of hackers--the people without the deep pockets to fend off a lawsuit or hire lawyers to review research prior to its release.

That pretty much turns the question of publishing into a business decision, said consultant Cohen. "From a risk-management standpoint, I can't afford to deal with the issue," he said. "Some big businesses can afford to sell the product. I can't."

But Marc Zwillinger, an intellectual-property attorney and partner at Washington, D.C., law firm Kirkland & Ellis, calls Cohen's move a political one.

"I don't think that forensics software would (be considered illegal) under any reading of the DMCA," said the former Department of Justice attorney, who now files suit on behalf of copyright holders.

He said Cohen's forensics tool is a program that is not primarily designed to circumvent the protections of copyrighted work, so his actions are unnecessary. And the Dutch researcher has little to worry about, at least from U.S. authorities, Zwillinger said. "You cannot be arrested under the DMCA unless you are selling software for profit," he said.

Yet the willingness of software makers and media companies to sue over any potential threat makes security researchers nervous.

In 1999, the movie industry filed multiple lawsuits against the creators of a program to decrypt DVD disks. Originally, the program had been created to add DVD playback ability to the Linux operating system.

This April, Princeton's Felten found himself on the sticky side of a threatened lawsuit when he planned to release research questioning the effectiveness of a purported Secure Digital Music Initiative. Following the filing of his own suit, the professor presented his paper at the USENIX Security Conference in August.

But it was the arrest and criminal indictment of Russian encryption expert Dmitry Sklyarov at the Def Con hacking conference that really drove the point home. The incident also unnerved Russian programmers thinking of visiting the United States.

"We would like to draw the attention of all the Russian software and programming specialists cooperating with U.S. firms that, regardless of a final decision in the Sklyarov case, provisions of the 1998 Act may be used against them on the territory of the United States," the Russian Ministry of Foreign Affairs said in a statement issued last week.

Already, some security researchers are going underground.

Last week, when an encryption expert reportedly found a hole in Microsoft's e-Book format, he anonymously went to the news media rather than face arrest.

According to Anti-DMCA.org's Smith, the DMCA could dramatically set back computer security.

"We crash test cars to create stronger, safer vehicles," he said. "We need to crash test software to promote stronger, safer software. But with the DMCA, a company can do minimal research on security, and if someone does crack their software, they can sic the FBI on them."