password-cracking by journalists... (long, sorry)

Arnold G. Reinhold reinhold at world.std.com
Tue Jan 22 10:27:21 EST 2002 

At 5:16 PM -0500 1/21/02, Will Rodger wrote:
>Arnold says:
>
>>You can presumably write your own programs to decrypt your own 
>>files. But if you provide that service to someone else you could 
>>run afoul of the law as I read it. The DMCA prohibits trafficking 
>>in technology that can be used to circumvent technological 
>>protection measures. There is no language requiring proof than 
>>anyone's copyright was violated.  Traffic for hire and it's a 
>>felony.
>
>I think there's a good argument to the contrary.
>
>The DMCA only bans trafficking in devices whose _primary_ purpose is 
>infringement.

No, DMCA bans trafficking in devices whose primary purpose is 
*circumvention.*   I'm not trying to nit pick, it's an important 
point. DMCA creates a whole new class of proscribed activity, 
circumvention, that does not require proof of infringement.

As for the phrase "primary purpose," I can easily see a judge 
accepting the argument that the primary purpose of a tool that breaks 
encryption is circumvention as defined in this act. In the 2600 case, 
the defense argued that DeCSS was also useful for playing purchased 
DVDs on Linux machines and for fair use. The courts dismissed this 
argument.

>And it only applies to works "protected by this Title," that is, 
>Title 17, which is the collection of laws pertaining to copyright.

Right, but just about everything written today is copyrighted from 
the moment of creation. You have to go out of your way (or work for 
the U.S. government) to place new works in the public domain.

>
>There was a very long, drawn out discussion of what would be banned 
>and what not before passage. It included all sorts of people 
>traipsing up to Capitol Hill to make sure that ordinary research and 
>system maintenance, among other things, would not be prosecuted. 
>Bruce Schneier was among those who talked to the committees and was 
>satisfied, as I recall, that crypto had dodged a bullet. I'm not 
>saying that Bruce liked the bill, just that this particular fear was 
>lessened greatly, if not eliminated, by the language that finally 
>emerged.

I've heard that story as well. I don't know if he saw the final 
language, how long he had to study it or what he based that opinion 
on.  Maybe there is some statement in the legislative history, which 
is only what the legislators said about the bill, that might be 
helpful in court. Absent that, we have to rely on what the law 
actually says. Bruce's opinion of what the law means would carry no 
weight in court.

>
>>Now a prosecutor probably wouldn't pursue the case of a 
>>cryptographer who decoded messages on behalf of parents of some kid 
>>involved in drugs or sex abuse. But what if the cryptographer was 
>>told that and the data turned out to be someone else's? Or if the 
>>kid was e-mailing a counselor about abuse by his parents? Or the 
>>government really didn't like the cryptographer because of his 
>>political views?
>
>It all gets down to knowingly doing something, right? If our 
>cryptographer acted in good faith, he wouldn't be prosecuted -- the 
>person who set him up would be.

I see nothing in the law that exempts you from liability if you 
didn't know you acted without authorization of the copyright holder. 
There is a provision, 1203(c)(5), that lets a court reduce reducing 
civil damages if you didn't know.  That presumably does not apply to 
the criminal provisions and prosecutors are notorious for doing 
whatever it takes if they want to get someone.  See, for example 
http://www.nytimes.com/2002/01/21/nyregion/21CLEA.html

>
>
>>There is also the argument that Congress only intended to cover 
>>tools for breaking content protections schemes like CSS and never 
>>intended to cover general cryptanalysis.   You might win with that 
>>argument in court (I think you should), but expect a 7 digit legal 
>>bill.  And if you lose, we'll put up a "Free Will" web site.
>
>No argument there!
>
>>>>As for the legal situation before the DMCA,  the Supreme Court 
>>>>issued a ruling last year in a case, Barniki v. Volper,  of a 
>>>>journalist who broadcast a tape he received of an illegally 
>>>>intercepted cell phone conversation between two labor organizers. 
>>>>The court ruled that the broadcast was permissible.
>>>
>>>The journalist received the information from a source gratis. 
>>>That's different from paying for stolen goods, hiring someone to 
>>>eavesdrop, or breaking the law yourself. The First Amendment 
>>>covers a lot, in this case.
>>
>>Correct. The Barniki opinion pointed out that the journalists were 
>>not responsible for the interception.  But journalists receive 
>>purloined data from whistle-blowers all the time. Suppose in the 
>>future it was one of those e-mail messages with a cryptographically 
>>enforced expiration date? A journalist who broke that system might 
>>be sued under DMCA.  That possibility might not frighten the WSJ, 
>>but what about smaller news organizations?
>
>
>Fair enough. But what would the damages under copyright law be? They 
>generally correspond to a harm in the market for a certain kind of 
>information. I don't see a value for a single email on the open 
>market except as a trade secret, say. But then you're back into 
>First Amendment territory, as well as the vagaries of state 
>trade-secret laws (There's no such thing in federal law). One of the 
>failings of the federal law is that it does give unethical people 
>room to tie up the courts. Nothing new there...

Again, there is this new offence called circumvention.  You don't 
need to prove infringement or trade secrets.  There are statutory 
damages (1203(c)(3)(A)), $200 to $2500 per act of circumvention "as 
the court considers just,"  plus you can be assessed the legal 
expenses of the other side. But the real kicker is that circumvention 
for hire is a felony.

>
>
>>>>So the stolen property argument you give might not hold. The 
>>>>change wrought by the DMCA is that it makes trafficking in the 
>>>>tools needed to get at encrypted data, regardless whether one has 
>>>>a right to (there is an exemption for law enforcement) unlawful.
>>>
>>>There's language governing that in the statute. Trafficking in 
>>>tools specifically designed to break a given form of copy 
>>>protection is one thing. The continued availability of legal tools 
>>>for cryptanalysis and legitimate password cracking is another. As 
>>>bad as the DMCA is, it's not _that_ bad.
>Arnold replied:
>
>>I've read the statute very carefully and I never found such 
>>language. (You can read my analysis at 
>>http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's 
>>certainly possible that I overlooked something. Perhaps you could 
>>cite the language you are referring to?
>
>Sure.
>
>In Section 1204, we see reference to "works protected by this 
>title." The DMCA as enacted is part of Title 17, which is 
>specifically copyright laws. Copyright law in the US gives a person 
>access to his own work
>and also allows for fair use _as defined by the courts_. 
>Pro-consumer types failed to get language reminding the reader that 
>fair use still applied. Drafters argued that would have been 
>redundant. See ulterior motives here, if you want.

Ulterior motives or no, it's not in the law. Judge Kaplan and the 
Court of Appeals for the 2nd Circuit flatly rejected fair use 
arguments in the 2600 case.  The 2nd Circuit wrote "Fair use has 
never been held to be a guarantee of access to copyrighted material 
in order to copy by the fair user's preferred technique or in the 
format of the original."

>
>Anyway, the DMCA as enacted (with my emphasis in caps) says in 
>Chapter 12, Sec. 1204:
>
>‘‘(2) No person shall manufacture, import, offer to the public, 
>provide, or otherwise traffic in any technology, product, service, 
>device, component, or part thereof, that—
>
>‘‘(A) is PRIMARILY designed or produced for the purpose of 
>circumventing a technological measure that effectively controls 
>access to a work PROTECTED UNDER THIS TITLE;

Again just about any work produced today is copyrighted and therefore 
protected under this title.

>
>‘‘(B) has only limited commercially significant purpose or use other 
>than to circumvent a technological measure that effectively controls 
>access to a work protected under this title; or
>
>‘‘(C) is marketed by that person or another acting in concert with 
>that person with that person’s knowledge for use in circumventing a 
>technological measure that effectively controls access to a work 
>protected under this title."
>
>All those references to works protected under this title do nothing 
>to keep you from getting at your own stuff. The rest of the language 
>also tells you if you want to use a copy of Crack to get to some of 
>your own system files, well, go ahead.

I agree that you can get at your own work.  I said you might be over 
the line if you help someone else get at their stuff, especially if 
you get paid for it.  In drafting this reply, I found a footnote (14) 
in the Second Circuit's 2600 opinion that suggests such assistance 
*is* permissible:

"When read together with the anti-trafficking provisions, subsection 
1201(a)(3)(A) frees an individual to traffic in encryption technology 
designed or marketed to circumvent an encryption measure if the owner 
of the material protected by the encryption measure authorizes that 
circumvention."

I am not a lawyer, but I think this might be considered "dicta," 
statements in a court opinion that are not necessary to the decision, 
and lack binding precedential value. There is also the question of 
what "owner" means.  Still, it is encouraging.

>Now, you're probably thinking "ah hah! He didn't clear up the 
>problems with the 'primary purpose' stuff." But not quite. We have a 
>right to use our VCRs today because a court has already ruled that a 
>VCR's primary purpose is not piracy. So far, the courts have 
>understood "primary purpose" to mean "This purpose and pretty much 
>no other."

As I pointed out above, other uses arguments have not gotten anywhere 
in court to date with respect to DMCA.

>Can we quibble about this? Absolutely. But I haven't heard anyone 
>come up with a good way of saying that your system maintenance tools 
>are legitimate, except to say that they are primarily _not_ for 
>breaking in to others' machines. Still, who uses sniffers more, sys 
>admins or the bad guys? I bet the latter, on any given day.

DMCA is much more broadly written than 18 USC 1030, which deals with 
breaking into others' machines.

>
>All that said, one would still want some language making clear that 
>what researchers do is OK. The statute does it, more or less, 
>through provisions for research in Chapter 12, Sec. 1201:

I would say less. See my comments below and my amicus brief 
http://world.std.com/~reinhold/DeCSSamicusbrief.html, which the 
Second Circuit ignored.

>
>‘‘(g) ENCRYPTION RESEARCH.—
>
>‘‘(1) DEFINITIONS.—For purposes of this subsection—
>
>‘‘(A) the term ‘encryption research’ means activities necessary to 
>identify and analyze flaws and vulnerabilities of encryption 
>technologies applied to copyrighted works, if these activities are 
>conducted to advance the state of knowledge in the field of 
>encryption technology or to assist in the development of encryption 
>products; and

This applies to research, not other uses of cryptoanalytic technology.

>
>‘‘(B) the term ‘encryption technology’ means the scrambling and 
>descrambling of information using mathematical formulas or 
>algorithms.
>
>
>‘‘(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.—Notwithstanding the 
>provisions of subsection (a)(1)(A), it is not a violation of that 
>subsection for a person to circumvent a technological measure as 
>applied to a copy, phonorecord, performance, or display of a 
>published work in the course of an act of good faith encryption 
>research if—
>
>‘‘(A) the person lawfully obtained the encrypted copy, phonorecord, 
>performance, or display of the published work;

Save that receipt.

>
>‘‘(B) such act is necessary to conduct such encryption research;

The judge is looking over your shoulder.

>
>‘‘(C) the person made a good faith effort to obtain authorization 
>before the circumvention; and

You have to ask permission and expose your self to possible legal 
action. Has anyone here actually tried to get permission from a 
copyright owner to attempt to break encryption?

>
>‘‘(D) such act does not constitute infringement under this title or 
>a violation of applicable law other than this section, including 
>section 1030 of title 18 and those provisions of title 18 amended by 
>the Computer Fraud and Abuse Act of 1986.
>
>‘‘(3) FACTORS IN DETERMINING EXEMPTION.—In determining whether a 
>person qualifies for the exemption under paragraph (2), the factors 
>to be considered shall include—

The phrase "factors to be considered" means each situation requires a 
separate, time consuming and expensive determination by a court.

>
>‘‘(A) whether the information derived from the encryption research 
>was disseminated, and if so, whether it was disseminated in a manner 
>reasonably calculated to advance the state of knowledge or 
>development of encryption technology, versus whether it was 
>disseminated in a manner that facilitates infringement under this 
>title or a violation of applicable law other than this section, 
>including a violation of privacy or breach of security;

If you publish too many details, you may lose your research exemption.

>
>‘‘(B) whether the person is engaged in a legitimate course of study, 
>is employed, or is appropriately trained or experienced, in the 
>field of encryption technology; and

I trust everyone's credentials are in order.

>
>‘‘(C) whether the person provides the copyright owner of the work to 
>which the technological measure is applied with notice of the 
>findings and documentation of the research, and the time when such 
>notice is provided.

You have to give them another opportunity to sue before you publish.

>‘‘(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES. 
>—Notwithstanding the provisions of subsection (a)(2), it is not a 
>violation of that subsection for a person to—
>
>‘‘(A) develop and employ technological means to circumvent a 
>technological measure for the sole purpose of that person performing 
>the acts of good faith encryption research described in paragraph 
>(2); and
>
>‘‘(B) provide the technological means to another person with whom he 
>or she is working collaboratively for the purpose of conducting the 
>acts of good faith encryption research described in paragraph (2) or 
>for the purpose of having that other person verify his or her acts 
>of good faith encryption research described in paragraph (2)."

Not that there is nothing in the above two paragraphs that permits 
one to *publish* the results of the research.

>
>Note that all this leaves Ed Felten's recent work in the clear. It 
>also explains why the RIAA soiled its legal briefs when faced with 
>_his_ lawyers in court.

Felton was threatened for attempting to publish his work, not for 
doing the research. Again, there is no language in the law that 
authorizes publication. I don't know what the RIAA was thinking, but 
they were on shaky First Amendment grounds and probably did not want 
to lose an early test of the law. If the law is upheld elsewhere, 
they may get bolder.

>
>-------------------------
>
><Phew!>
>
>OK. so that's my rap on why this law is bad but won't likely put 
>anyone on this list in jail. The biggest problem, I think, is not 
>its prohibitions but the legal cudgel it gives to certain people who 
>would like to silence others.
>
>If this is the looming disaster many of us feared (I'm talking about 
>stuff much worse than the DeCSS cases here) it should have fallen on 
>us by now. The fact that it hasn't gives me hope. Maybe I'm just too 
>naive!
>
>Will

I agree with you that the law ought not to apply to ordinary 
cryptographic activity and that it should be unconstitutional if it 
does. But the law can be read the other way and it has survived 
unscathed so far. Add to that the post Sept 11 attitude of accepting 
greater restrictions on personal liberty and the likelihood of 
further incidents of alleged crypto use by terrorists, drug dealers 
and pornographers, and I think there is a real danger that it may be 
used against cryptographers.

The Second Circuit's 2600 ruling is particularly troublesome in this 
regard since it allows software to be proscribed based on the 
functional effect it can have on computer systems, not withstanding 
the fact that it is speech. If that ruling is upheld, we might see 
the enemies of open cryptography become more aggressive.

I'm not suggesting that anyone panic or stop their research and 
publication. But people should be aware of the risk, get competent 
legal advice and at least take care to document in writing situations 
where they believe they are breaking encryption systems with the 
owner's permission.


Arnold Reinhold



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list