Controversial law hinders warnings to consumers on matters like Sony rootkits, security researchers say.
But those strict legal restrictions should stay in effect, entertainment industry lobbyists said Friday, when they urged the U.S. Copyright Office to avoid making any changes to the Digital Millennium Copyright Act.
"There are many other avenues to address these questions, and certainly many other laws that may be relevant in this circumstance," said Steven Metalitz, a senior vice president at the International Intellectual Property Alliance. The group represents large copyright holders.
Computer security experts have asked the Copyright Office to alter the DMCA to protect their research. Edward Felten, a professor of computer science at Princeton University, said Friday that he and graduate student J. Alex Halderman uncovered the Sony problem a month before the news about it broke in November--but feared a lawsuit under Section 1201 of the DMCA if they disclosed it without the record label's authorization.
Because of the lag time, "a great many of consumers were at risk every day," Felten said. "Our exemption request is fundamentally asking for protection for those consumers."
Under federal law, the Copyright Office is required to solicit public opinion every few years on whether any amendments--called "exemptions"--to the DMCA are necessary. Section 1201 of the law broadly restricts circumventing "a technological measure that effectively controls access" to a copyright work.
Sony rootkit's lesson
In the past, security researchers would notify the vendors first of any bugs, but now they're afraid to disclose such flaws without first consulting a lawyer, Felten said. He added that the DMCA has discouraged security researchers from embarking on new projects and has driven some away from the field. (Felten once was threatened with a DMCA lawsuit by the recording industry for exposing weaknesses in a music-watermarking scheme.)
After a public outcry last fall, Sony voluntarily said it would halt production of certain copy-protected CDs. Those CDs installed a bundle of software, including a "rootkit" used to mask the presence of copy-protection software--and, if abused, malicious programs as well. The incident prompted one Homeland Security official to suggest banning rootkits.
Aaron Perzanowski, a law student at the University of California at Berkeley's Samuelson Law, Technology and Public Policy Clinic, and clinic director Deirdre Mulligan, said that Felten could have been subject to legal liability if he had disclosed his findings about the Sony rootkits. After he found the flaw, Felten said he called lawyers and spent a month in negotiations with them, and decided not to publish his results right away. Programmer Mark Russinovich did instead.
Lobbyist Metalitz offered a detailed list of reasons why he said such an interpretation of the DMCA was incorrect. The law already provides sufficient protection in Section 1201 for researchers like Felten to do their work, he said. (That section, 1201(j), permits bypassing anticopying technology "solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability.")
But in the Sony BMG incident, the record label's first crack at an uninstaller proved riddled with new problems, Felten said, and even the latest version of the patch won't prevent reinstallation of the rootkit each time the type of copy-protected CD is inserted into a computer. Felten and other security professionals have been able to devise alternative uninstallers that would prevent such reinstallation indefinitely, but are worried that their "unauthorized" methods could get them sued.
"It's this uncertainty that creates the very risk," agreed Matthew Schruers, a lawyer for the Computer and Communications Industry Association, whose members include Sun Microsystems, Verizon and Yahoo. "So that raises for me a perplexing question: Why on earth are we putting cybersecurity in the hands of copyright lawyers?"
Previous DMCA exemptions granted by the Copyright Office include: Researchers into filtering could study blacklisting techniques, and obsolete copy-protection schemes could be legally bypassed.
When reviewing the DMCA, the Library of Congress is required to consider the impact that the anticircumvention sections have "on criticism, comment, news reporting, teaching, scholarship or research (and) the effect of circumvention of technological measures on the market for or value of copyrighted works."
The Copyright Office received more than 100 comments on its notice of proposed rulemaking published last year and plans to release its final determinations by the end of October. Marybeth Peters, the Register of Copyrights, said that the office has reached no conclusions yet on any of the exemptions.