Copyright act gags programmers
Two well-known computer security experts pulled down their works from the Internet this week for fear of being prosecuted under 1998's Digital Millennium Copyright Act.
Along with the threatened lawsuit of Princeton computer-science professor Edward Felten, and the arrest of Russian encryption expert Dmitry Sklyarov, the incidents are the latest to point at what is quickly becoming a touchy environment for security experts.
"When they started to arrest people and threaten researchers, I decided the legal risk was not worth it," said Fred Cohen, a well-known security consultant and a professor of digital forensics, who took his evidence-gathering tool--dubbed Forensix--off his Web site earlier this week.
Dug Song, a security expert at network-protection company Arbor Networks, pulled his own site down in protest as well. Now the only text on the site, "Censored by the Digital Millennium Copyright Act," links to a DMCA protest site, Anti-DMCA.org.
And last month, fearing retribution, Dutch encryption expert Niels Ferguson refused to publish his discovery that Intel's encryption scheme for Firewire connections, known as the high-bandwidth digital content protection (HDCP) system, had a major flaw.
"I travel to the US regularly, both for professional and for personal reasons," he said in an online statement. "I simply cannot afford to be sued or prosecuted in the US I would go bankrupt paying for my lawyers."
Lawyers and proponents of the law argue that the response from the security community is at best a misinterpretation of the law and more likely protest veiled as legitimate fear.
"Some of the opponents of the DMCA are trying to resurrect this issue to get another day in court," said Robert Holleyman, president and chief executive of the Business Software Alliance, the piracy-fighting organisation that represents the lion's share of software companies. "Security testing is definitely permitted under the DMCA."
The DMCA, passed in 1998, prohibits the circumvention of copy protection and the distribution of devices that can be used to circumvent copyrights--even if their users don't do anything illegal once they've broken the security. Software makers, Hollywood and the music industry make up the core proponents of the law.
The BSA says such laws are necessary to head off software piracy, which the group estimates cost software companies $11bn (about £8bn) in lost revenue last year.
Yet, for many security researchers the question is whether stress-testing the security of software products and publicising vulnerabilities and how they were taken advantage of violates the DMCA.
"There are provisions in the law for certain security research," said Mark Smith, a network-security engineer and spokesman for Anti-DMCA.org, "but you shouldn't have to hire a lawyer to make sure you are not breaking a law."
That's a problem in an industry where a large number of security vulnerabilities are found by individuals and small groups of hackers--the people without the deep pockets to fend off a lawsuit or hire lawyers to review research prior to its release.
That pretty much turns the question of publishing into a business decision, said consultant Cohen. "From a risk-management standpoint, I can't afford to deal with the issue," he said. "Some big businesses can afford to sell the product. I can't."
But Marc Zwillinger, an intellectual-property attorney and partner at Washington, DC law firm Kirkland & Ellis, calls Cohen's move a political one.
"I don't think that forensics software would (be considered illegal) under any reading of the DMCA," said the former Department of Justice attorney, who now files suit on behalf of copyright holders.
He said Cohen's forensics tool is a program that is not primarily designed to circumvent the protections of copyrighted work, so his actions are unnecessary. And the Dutch researcher has little to worry about, at least from US authorities, Zwillinger said. "You cannot be arrested under the DMCA unless you are selling software for profit," he said.
Yet the willingness of software makers and media companies to sue over any potential threat makes security researchers nervous.
In 1999, the movie industry filed multiple lawsuits against the creators of a program to decrypt DVD disks. Originally, the program had been created to add DVD playback ability to the Linux operating system.
This April, Princeton's Felten found himself on the sticky side of a threatened lawsuit when he planned to release research questioning the effectiveness of a purported Secure Digital Music Initiative. Following the filing of his own suit, the professor presented his paper at the USENIX Security Conference in August.
But it was the arrest and criminal indictment of Russian encryption expert Dmitry Sklyarov at the Def Con hacking conference that really drove the point home. The incident also unnerved Russian programmers thinking of visiting the United States.
"We would like to draw the attention of all the Russian software and programming specialists cooperating with US firms that, regardless of a final decision in the Sklyarov case, provisions of the 1998 Act may be used against them on the territory of the United States," the Russian Ministry of Foreign Affairs said in a statement issued last week.
Already, some security researchers are going underground.
Last week, when an encryption expert reportedly found a hole in Microsoft's e-Book format, he anonymously went to the news media rather than face arrest.
According to Anti-DMCA.org's Smith, the DMCA could dramatically set back computer security. "We crash test cars to create stronger, safer vehicles," he said. "We need to crash test software to promote stronger, safer software. But with the DMCA, a company can do minimal research on security, and if someone does crack their software, they can sic the FBI on them."
See the Net Crime News Section for the latest on hacking, fraud, online child safety, viruses and legal issues.
See the Software News Section for full coverage.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.