Criminalizing crypto criticism

lcs Mixmaster Remailer mix at anon.lcs.mit.edu
Fri Jul 27 22:00:02 EDT 2001 

Arnold Reinhold writes:

> If you read the language carefully, you will see that 1201g only 
> permits *circumvention* as part of cryptographic research (and then 
> only under limited circumstances). There is nothing in the law that 
> allows publication of results.

Not true.  Look closely at
http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: (note that
the final colon is part of the URL).

1201(a)(1)(A):
   No person shall circumvent a technological measure that effectively
   controls access to a work protected under this title.

This is the basic provision which outlaws circumvention.

1201(g)(2):
   PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions
   of subsection (a)(1)(A), it is not a violation of that subsection for
   a person to circumvent a technological measure as applied to a copy,
   phonorecord, performance, or display of a published work in the course
   of an act of good faith encryption research if--
      [Various provisions, including making a good faith effort to get
       permission]

And this is the provision which allows encryption research even when that
involves circumvention.

Neither of these addresses publication.  This is possibly covered in
the following:

1201(a)(2):
   No person shall manufacture, import, offer to the public, provide,
   or otherwise traffic in any technology, product, service, device,
   component, or part thereof, that--
      (A) is primarily designed or produced for the purpose of
      circumventing a technological measure that effectively controls
      access to a work protected under this title;

      (B) has only limited commercially significant purpose or use other
      than to circumvent a technological measure that effectively controls
      access to a work protected under this title; or

      (C) is marketed by that person or another acting in concert with
      that person with that person's knowledge for use in circumventing
      a technological measure that effectively controls access to a work
      protected under this title.

It is not at all clear that publishing a research result relating to a
cryptographic problem in a copyright protecting technology would fall
into any of these categories.  First, such a publication is clearly not a
"product, service, device, component, or part thereof".  Conceivably it
could be a "technology" although most cryptographic papers are a long
way from an actual technology.

Second, the primary purpose of such a publication is not to enable
circumvention, but to advance the state of the art in science.  Hence it
is not covered by provision (a)(2)(A), and not by (B) or (C) either.

Nevertheless if publication were to be interpreted as being covered by
this provision, there is a further exception in 1201(g):

1201(g)(4):
   USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding
   the provisions of subsection (a)(2), it is not a violation of that
   subsection for a person to--

      (A) develop and employ technological means to circumvent a
      technological measure for the sole purpose of that person performing
      the acts of good faith encryption research described in paragraph
      (2); and

      (B) provide the technological means to another person with whom he
      or she is working collaboratively for the purpose of conducting the
      acts of good faith encryption research described in paragraph (2)
      or for the purpose of having that other person verify his or her
      acts of good faith encryption research described in paragraph (2).

Again, this appears to be interpreted in the context of (A)(2) forbidding
the actual construction of devices which are are developed, employed,
and distributed.  Even if we interpret (A)(2) to include cryptographic
publications, however, the provision still applies.  Note in particular
the language in (B) which allows another person to verify the act of
good faith encryption research.  This is one of the main purposes of
publication, to allow verification of the results by others.

Hence publications which show cryptographic holes in deployed encryption
systems are exempt.  This provision also allows the distribution of
circumvention software for legitimate research purposes.

Note too the additional provision:

1201(c)(4):
   Nothing in this section shall enlarge or diminish any rights of
   free speech or the press for activities using consumer electronics,
   telecommunications, or computing products.

Clearly publication of cryptographic results is a fundamental part of
free speech and will not be infringed by the DMCA.


Much of the hysteria regarding the DMCA's supposed ability to quash free
speech by cryptographic researchers is being whipped up by opponents
to the DMCA who are misrepresenting the DMCA in a calculated fashion in
order to promote opposition.  Consider two recent cases.

Dmitry Sklyarov of Russia has been arrested for violating the DMCA.
Many DMCA opponents initially claimed that he had been arrested for
discussing problems in Adobe's ebook software.  This claim was false and
has been largely abandoned now, but it has served its pupose of giving
the impression that DMCA will criminalize publication.

Princeton Professor Edward Felten and his research team were prevented
from presenting their results regarding flaws in SDMI at the Information
Hiding Workshop, based on a letter from the Recording Industry Association
of America which claimed that such publication would violate the DMCA.

In this case, the RIAA was mistaken about the application of the DMCA,
as the above analysis makes clear.  In fact the RIAA takes that same
position now, as seen in
http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html.
The decision to pull out of the conference was made jointly by Felten,
his team, and conference organizers.  If they made the decision based
on fears of the DMCA, their decision was mistaken.

Again, anti-DMCA forces have used this case as an example of how the DMCA
supposedly prevents free speech.  In fact it is more an example of how
the misinformation spread by DMCA opponents is preventing free speech.
Had the true facts about the DMCA been widely known and disseminated,
Felten et al would have presented their paper and the RIAA's letter
would have been seen at the empty threat it was.  (Yes, lawyers issue
letters with empty threats and bluffs all the time.  It's called the
real world, folks.)

There are many problems with the DMCA, but opponents will serve their
cause best by being honest and straightforward about what the measure
does and does not do.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list