Meanwhile, back on planet earth, Ed Felten, a scientist who has been personally put on ice more than once clarifies the issue -- along with two other chilled out scientists: Edward D. Lazowska
(University of Washington; Co-chair, Computing Research Association
Government Affairs Committee) and Barbara Simons
(Co-chair, ACM US Public Policy Committee).
Boy that's a relief! And all this time I thought there was a problem with the DMCA! Thanks, Declan, for putting everything into perspective!
Here's the full text of Ed Felten's response in case the link goes bad (full text of declan's story follows below) :
August 19, 2002
Response to Declan's DMCA Piece
Declan McCullagh misses the boat at least twice in his August 19th
column concerning the potential impact on computer science research of
the Digital Millennium Copyright Act ["Debunking DMCA myths," c|net
First, the DMCA has two arms: one that prohibits devices that circumvent
copy protection, and one that prohibits acts of circumvention. The
research conducted by Professor Felten and his colleagues took place
prior to the time when the "acts of circumvention" provisions became
effective in October 2000. Thus, these provisions did not apply to that
research. However, there is little doubt in the legal community that
this research, and similar research, would be illegal under the "acts of
circumvention" provisions. Declan fails to recognize this arm of the
DMCA in his column.
Second, the chilling effect of the DMCA cannot be described by the
probability of conviction alone. One must also consider the magnitude
of the exposure if convicted. Because the "acts of circumvention"
provisions of the DMCA were not in effect at the time of the Felten
research, the probability of an adverse judgment was indeed small.
However, a group of highly respected legal consultants told Felten's
employer that the cost of an adverse judgment could be truly enormous.
The combination of these two factors had a very substantial chilling
effect. (It is also the case that two individuals were likely to lose
their jobs if the paper was published. This illustrates the human
dimension of the chilling effect.)
Other issues, on which we shall not elaborate, include the
anti-dissemination provisions of the DMCA, and the civil (in addition to
It is disruptive to the progress of research when scientists must first
consult with attorneys to determine if previously legitimate research
might be in violation of the DMCA. We are happy to agree with Declan
that "The DMCA is ... an egregious law ... and should be unceremoniously
tossed out by the courts."
Edward W. Felten
Edward D. Lazowska
University of Washington; Co-chair, Computing Research Association
Government Affairs Committee
Co-chair, ACM US Public Policy Committee
Here's the text of Declan's original piece (that the above is a commentary on):
Debunking DMCA myths
By Declan McCullagh
August 19, 2002, 4:00 AM PT
WASHINGTON--Should researchers really be so worried about the much-reviled Digital Millennium Copyright Act?
If you believe the buzz, you'll conclude that programmers, academics and engineers should be scared witless about being sued under the DMCA. In effect for nearly two years, the law sets protections for the codes that are wrapped around certain copyrighted content such as DVDs and electronic books.
An attorney for the Computing Research Association, representing the computer science departments of some 200 universities, claims that "professors are afraid to study information systems or to publish their research." One researcher in the Netherlands announced that, because of the DMCA, he would not reveal his analysis of Intel's digital video system. Edward Felten, a computer scientist at Princeton University, and his colleagues postponed a presentation of their co-authored paper for four months after receiving DMCA threats.
Because some of his co-authors' employers nixed the presentation, Felten's delay is understandable. However, the fears of legal action may not all be justified.
Don't get me wrong. The DMCA is both an egregious law and a brazen power grab by Hollywood, the music industry and software companies. It is probably unconstitutional. It creates unnecessary federal crimes, cedes too much authority to copyright holders, and should be unceremoniously tossed out by the courts. (As a bonus, perhaps we could horsewhip its many fans in Congress.)
If activists hope to assail a law like the DMCA, they'll be taken more seriously if they know what they're talking about.
Even so, not all execrable laws are equally loathsome. A careful look at the DMCA shows that, far from prohibiting all security research, the law does not regulate as many activities as people seem to believe. And if activists hope to assail a law like the DMCA, they'll be taken more seriously if they know what they're talking about.
"The risk that a researcher could go to jail for giving a speech at an academic conference is essentially zero," says Orin Kerr, a law professor at George Washington University and a former prosecutor for the Justice Department. In fact, Kerr says, it makes sense to take opponents' claims about the scope of the copyright law with a grain of salt.
"Opponents of the DMCA want to dramatize its effects, so they want people to believe that the law is incredibly broad," Kerr says. "If the public believes that the DMCA is stopping Professor Felten and other researchers from conducting legitimate research, then that is a major victory for opponents of the law."
The fine print
Start with the text of the DMCA itself. It says, "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device (or) component" that is primarily designed to bypass copy-protection technology. Note it does not explicitly prohibit research or published work, and in fact the DMCA explicitly includes limited exemptions for encryption research and reverse-engineering.
Actual violations of the DMCA can be punished with a civil suit for damages or, if done for commercial gain, prosecuted as criminal acts. The Justice Department indicted Dmitry Sklyarov because his employer, ElcomSoft, sold an e-book decoder that he helped to create, triggering the DMCA's criminal penalties.
By contrast, in a legal opinion, the Justice Department stressed that the paper co-authored by Felten provided zero grounds for criminal prosecution. The government even lauded the work as "designed and published to further scientific research."
On the other hand, it's conceivable that the DMCA permits a civil suit against an academic report that includes source code or object code. A company seeking to sue a researcher could argue that the DMCA covers such an act, as eight movie studios did when successfully suing the magazine 2600 for distributing a DVD-descrambling utility.
But R. Polk Wagner, who teaches intellectual property law at the University of Pennsylvania, thinks that a lawsuit sparked by a paper or presentation would be "a really long stretch."
"I don't think there was ever a realistic chance that Felten would have been liable, and I think all parties knew it from the beginning," Wagner says.
In a report accompanying the DMCA, Congress stressed that research could not be targeted: "The committee believes it is very important to emphasize that (this section) is aimed fundamentally at outlawing so-called 'black boxes' that are expressly intended to facilitate circumvention of technological protection measures for purposes of gaining access to a work."
If published research does not include working code--which is a vital part of research--the odds of a successful lawsuit rapidly approach zero.
If published research does not include working code, the odds of a successful lawsuit rapidly approach zero.
Peter Jaszi, a law professor at American University, is an ardent DMCA foe who worked to defeat the bill when Congress was considering it. While there are no guarantees, Jaszi says, "it's a bigger reach to say that describing the process by which some kind of hack might be accomplished without providing any kind of code is covered."
So if English-language descriptions of security flaws are permissible, what explains the near-constant state of jitters among security researchers nowadays? (It can't just be Hewlett-Packard's quickly abandoned DMCA threats against security researchers.)
One explanation is an unreasonable fear of the law. Citing DMCA fears, TiVo asked people to stop posting information about how to copy video off the device onto another machine--even though its legal liability is nonexistent. Dug Song, a security expert at network-protection company Arbor Networks, even took his personal Web site offline. For a while, the Institute of Electrical and Electronics Engineers required authors writing for its science journals to certify that their papers were DMCA violation-free--until cooler minds prevailed and IEEE recanted.
Another explanation is overly aggressive advocacy by groups like the Electronic Frontier Foundation, which represented Felten. "They succeeded in creating a kind of chilling effect in the scientific community because of the kind of fear-mongering they were engaged in," says Allan Adler, vice president at the Association of American Publishers (AAP).
Adler says that because the AAP represents corporations and universities that publish books of computer code, the organization has every reason to worry about restrictions on distributing technical information. Among the AAP's members are MIT Press, Princeton University Press and Stanford University Press. McGraw-Hill, which publishes books such as "C: The Complete Reference," filled with programming examples, is another.
But, Adler says, the AAP isn't concerned about the DMCA. "Such a reading of the statute (to include restrictions on research) is a clear stretch given its constitutional implications and the absence of any supporting legislative history. Moreover, it is a stretch that would not have been lightly countenanced by ardent First Amendment advocates in the publishing industry."
The Register's Thomas Greene put it more bluntly. A recent DMCA alert, Greene said, was a "nonissue which EFF inflated into gargantuan proportions."
For its part, the EFF points to the potential chilling effect of even unfounded DMCA threats, saying that "nastygrams" can halt a lot of legal acts--and most people are not willing to risk being right at the cost of civil fines that swallow their kids' college funds.
"Not every grad student or even professor is going to have easy access to free counsel who can provide a counterweight to the university lawyers," says Lee Tien, an EFF staff attorney. "Even if the paper were published, was it somehow bowdlerized? This is corrosive to scientific discourse."
Any type of publishing carries risks, including possible suits for libel, copyright infringement or invasion of privacy. Security research is no different. Before self-censoring, a researcher should make a sober evaluation of which allegations are likely to stick and show courage by not bowing to spurious threats. Back in 1977, cryptographers Ron Rivest, Adi Shamir and Len Adleman, and lawyers at MIT showed commendable mettle when standing up to threats from the National Security Agency related to their encryption research.
Luckily for them, the threat from the government soon faded. But because the DMCA has not yet been wielded in a court battle against a researcher, anxieties remain.
University of Pennsylvania professor Wagner says that's likely to remain the case for a while: "Copyright owners will kill two birds with one stone by expressing support for good-faith, serious research. It's good PR, and maintains the helpful--to them--vagueness of the current state of the law. I see an uneasy truce in our future."Posted by Lisa at August 21, 2002 05:14 PM | TrackBack