password-cracking by journalists... (long, sorry)
Will Rodger
wrodger at pobox.com
Mon Jan 21 17:16:08 EST 2002
Arnold says:
>You can presumably write your own programs to decrypt your own files. But
>if you provide that service to someone else you could run afoul of the law
>as I read it. The DMCA prohibits trafficking in technology that can be
>used to circumvent technological protection measures. There is no language
>requiring proof than anyone's copyright was violated. Traffic for hire
>and it's a felony.
I think there's a good argument to the contrary.
The DMCA only bans trafficking in devices whose _primary_ purpose is
infringement. And it only applies to works "protected by this Title," that
is, Title 17, which is the collection of laws pertaining to copyright.
There was a very long, drawn out discussion of what would be banned and
what not before passage. It included all sorts of people traipsing up to
Capitol Hill to make sure that ordinary research and system maintenance,
among other things, would not be prosecuted. Bruce Schneier was among those
who talked to the committees and was satisfied, as I recall, that crypto
had dodged a bullet. I'm not saying that Bruce liked the bill, just that
this particular fear was lessened greatly, if not eliminated, by the
language that finally emerged.
>Now a prosecutor probably wouldn't pursue the case of a cryptographer who
>decoded messages on behalf of parents of some kid involved in drugs or sex
>abuse. But what if the cryptographer was told that and the data turned out
>to be someone else's? Or if the kid was e-mailing a counselor about abuse
>by his parents? Or the government really didn't like the cryptographer
>because of his political views?
It all gets down to knowingly doing something, right? If our cryptographer
acted in good faith, he wouldn't be prosecuted -- the person who set him up
would be.
>There is also the argument that Congress only intended to cover tools for
>breaking content protections schemes like CSS and never intended to cover
>general cryptanalysis. You might win with that argument in court (I
>think you should), but expect a 7 digit legal bill. And if you lose,
>we'll put up a "Free Will" web site.
No argument there!
>>>As for the legal situation before the DMCA, the Supreme Court issued a
>>>ruling last year in a case, Barniki v. Volper, of a journalist who
>>>broadcast a tape he received of an illegally intercepted cell phone
>>>conversation between two labor organizers. The court ruled that the
>>>broadcast was permissible.
>>
>>The journalist received the information from a source gratis. That's
>>different from paying for stolen goods, hiring someone to eavesdrop, or
>>breaking the law yourself. The First Amendment covers a lot, in this case.
>
>Correct. The Barniki opinion pointed out that the journalists were not
>responsible for the interception. But journalists receive purloined data
>from whistle-blowers all the time. Suppose in the future it was one of
>those e-mail messages with a cryptographically enforced expiration date? A
>journalist who broke that system might be sued under DMCA. That
>possibility might not frighten the WSJ, but what about smaller news
>organizations?
Fair enough. But what would the damages under copyright law be? They
generally correspond to a harm in the market for a certain kind of
information. I don't see a value for a single email on the open market
except as a trade secret, say. But then you're back into First Amendment
territory, as well as the vagaries of state trade-secret laws (There's no
such thing in federal law). One of the failings of the federal law is that
it does give unethical people room to tie up the courts. Nothing new there...
>>>So the stolen property argument you give might not hold. The change
>>>wrought by the DMCA is that it makes trafficking in the tools needed to
>>>get at encrypted data, regardless whether one has a right to (there is
>>>an exemption for law enforcement) unlawful.
>>
>>There's language governing that in the statute. Trafficking in tools
>>specifically designed to break a given form of copy protection is one
>>thing. The continued availability of legal tools for cryptanalysis and
>>legitimate password cracking is another. As bad as the DMCA is, it's not
>>_that_ bad.
Arnold replied:
>I've read the statute very carefully and I never found such language. (You
>can read my analysis at
>http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's certainly
>possible that I overlooked something. Perhaps you could cite the language
>you are referring to?
Sure.
In Section 1204, we see reference to "works protected by this title." The
DMCA as enacted is part of Title 17, which is specifically copyright laws.
Copyright law in the US gives a person access to his own work and also
allows for fair use _as defined by the courts_. Pro-consumer types failed
to get language reminding the reader that fair use still applied. Drafters
argued that would have been redundant. See ulterior motives here, if you want.
Anyway, the DMCA as enacted (with my emphasis in caps) says in Chapter 12,
Sec. 1204:
(2) No person shall manufacture, import, offer to the public, provide, or
otherwise traffic in any technology, product, service, device, component,
or part thereof, that
(A) is PRIMARILY designed or produced for the purpose of circumventing a
technological measure that effectively controls access to a work PROTECTED
UNDER THIS TITLE;
(B) has only limited commercially significant purpose or use other than
to circumvent a technological measure that effectively controls access to a
work protected under this title; or
(C) is marketed by that person or another acting in concert with that
person with that persons knowledge for use in circumventing a
technological measure that effectively controls access to a work protected
under this title."
All those references to works protected under this title do nothing to keep
you from getting at your own stuff. The rest of the language also tells you
if you want to use a copy of Crack to get to some of your own system files,
well, go ahead.
Now, you're probably thinking "ah hah! He didn't clear up the problems with
the 'primary purpose' stuff." But not quite. We have a right to use our
VCRs today because a court has already ruled that a VCR's primary purpose
is not piracy. So far, the courts have understood "primary purpose" to mean
"This purpose and pretty much no other." Can we quibble about this?
Absolutely. But I haven't heard anyone come up with a good way of saying
that your system maintenance tools are legitimate, except to say that they
are primarily _not_ for breaking in to others' machines. Still, who uses
sniffers more, sys admins or the bad guys? I bet the latter, on any given day.
All that said, one would still want some language making clear that what
researchers do is OK. The statute does it, more or less, through provisions
for research in Chapter 12, Sec. 1201:
(g) ENCRYPTION RESEARCH.
(1) DEFINITIONS.For purposes of this subsection
(A) the term encryption research means activities necessary to identify
and analyze flaws and vulnerabilities of encryption technologies applied to
copyrighted works, if these activities are conducted to advance the state
of knowledge in the field of encryption technology or to assist in the
development of encryption products; and
(B) the term encryption technology means the scrambling and
descrambling of information using mathematical formulas or algorithms.
(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.Notwithstanding the
provisions of subsection (a)(1)(A), it is not a violation of that
subsection for a person to circumvent a technological measure as applied to
a copy, phonorecord, performance, or display of a published work in the
course of an act of good faith encryption research if
(A) the person lawfully obtained the encrypted copy, phonorecord,
performance, or display of the published work;
(B) such act is necessary to conduct such encryption research;
(C) the person made a good faith effort to obtain authorization before
the circumvention; and
(D) such act does not constitute infringement under this title or a
violation of applicable law other than this section, including section 1030
of title 18 and those provisions of title 18 amended by the Computer Fraud
and Abuse Act of 1986.
(3) FACTORS IN DETERMINING EXEMPTION.In determining whether a person
qualifies for the exemption under paragraph (2), the factors to be
considered shall include
(A) whether the information derived from the encryption research was
disseminated, and if so, whether it was disseminated in a manner reasonably
calculated to advance the state of knowledge or development of encryption
technology, versus whether it was disseminated in a manner that facilitates
infringement under this title or a violation of applicable law other than
this section, including a violation of privacy or breach of security;
(B) whether the person is engaged in a legitimate course of study, is
employed, or is appropriately trained or experienced, in the field of
encryption technology; and
(C) whether the person provides the copyright owner of the work to which
the technological measure is applied with notice of the findings and
documentation of the research, and the time when such notice is provided.
(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES. Notwithstanding
the provisions of subsection (a)(2), it is not a violation of that
subsection for a person to
(A) develop and employ technological means to circumvent a technological
measure for the sole purpose of that person performing the acts of good
faith encryption research described in paragraph (2); and
(B) provide the technological means to another person with whom he or she
is working collaboratively for the purpose of conducting the acts of good
faith encryption research described in paragraph (2) or for the purpose of
having that other person verify his or her acts of good faith encryption
research described in paragraph (2)."
Note that all this leaves Ed Felten's recent work in the clear. It also
explains why the RIAA soiled its legal briefs when faced with _his_ lawyers
in court.
-------------------------
<Phew!>
OK. so that's my rap on why this law is bad but won't likely put anyone on
this list in jail. The biggest problem, I think, is not its prohibitions
but the legal cudgel it gives to certain people who would like to silence
others.
If this is the looming disaster many of us feared (I'm talking about stuff
much worse than the DeCSS cases here) it should have fallen on us by now.
The fact that it hasn't gives me hope. Maybe I'm just too naive!
Will
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list