|
|
|
Update! (August 2001)
The material below was written in early August 1998. Despite our attempts to point out flaws, the bill was passed as the DMCA (Digital Millennium Copyright Act).
In early 2001, a group of researchers including Professor Ed Felten (who was a cosigner of the original letter) were threatened with a lawsuit by various companies associated with the SDMI (Secure Digital Music Initiative). The reason for the lawsuit threat? They were going to publish a research paper discussing their research!
Then, in the summer of 2001, a Russian scientist, Dmitry Sklyarov, was arrested during a visit to the United States after giving a technical talk on his work with finding flaws in ebook encryption.
More recent details on these issues may be found at the WWW sites for the USACM and EFF.
Contents
What this is about
What this is about
The World Intellectual Property Organization (WIPO) produced a new treaty in 1996 for the protection of intellectual property. The U.S. signed the treaty, and Congress has been considering enabling legislation to bring U.S. law into alignment with treaty provisions.
As part of this legislative process, a number of major trade groups and industry lobbyists have weighed in with their desires for the legislation. It appears as if only content producers and providers (e.g., entertainment companies and software publishers) have had significant influence, and the resulting law is very biased in their favor.
In particular, the law in its current form appears to:
Thus, either directly or as unintended (?) consequences, the bill could severely restrict what professionals can do in education, research, and the practice of information security.
The biggest problem with the bill is that it outlaws technology and research rather than simply criminalizing violations of copyright. This is roughly analogous to outlawing automobiles and research into engine design to prevent the possibility of drunk driving.
A number of prominent lawyers have reviewed this bill and communicated their findings to me: they all agree (as much as any group of lawyers can agree) that the bill is as dismal as I have outline here.
The bill has passed the Senate. In the House, it has passed two major committees: Judiciary and Commerce. The Judiciary version is basically the version that passed the Senate. The version that passed the Commerce committee has had a few small amendments attached, including one that exempts some encryption research from the law -- but no general exemptions exist for other work in security.
What I Have Done About It
After consulting with personnel on the ACM's Public Policy committee (of which I am a member), and staff of the Computing Research Association's Washington office (I am on the board of CRA), I wrote a letter to several members of Congress -- including the Speaker of the House, the chairs and ranking minority members of several involved House committees, and some key Senators. This is not a letter from either ACM or CRA, but a letter from me as a senior security professional.
The letter outlines why I think the law is damaging to the profession, and encourages the Congressmen to do what they can to either have the bill reconsidered or simply not considered on the floor of the House this term.
I decided to ask other security professionals if they wanted to be co-signers. 48 leading professionals agreed to add their names to the letter, despite there being only a few days to respond.
What You Can Do
You can read my letter. If you agree with what I wrote in the letter, then you can write your own letter to your representative and senators expressing your opinion on the legislation. A phone call, or a personal visit to their local offices might also be beneficial.
More Information
You can obtain more information on the Digital Millennium Act, H.R. 2281, by consulting these pages:
Letter Recipients
|
|
|
|
Representative Newt Gingrich |
|
|
Representative Richard Armey |
|
|
Representative Tom DeLay |
|
|
Representative Richard Gephardt |
|
|
Representative David E. Bonior |
|
|
Representative Gerald B.H. Solomon |
|
|
Representative Joe Moakley |
|
|
Representative Thomas J. Bliley |
|
|
Representative John D. Dingell |
|
|
Representative W.J. "Billy" Tauzin |
|
|
Representative Edward J. Markey |
|
|
Representative Edward Pease |
|
|
Representative Henry J. Hyde |
|
|
Representative John Conyers, Jr. |
|
|
Representative Howard Coble |
|
|
Representative Barney Frank |
|
|
Representative F. James Sensenbrenner, Jr. |
|
|
Representative George E. Brown, Jr. |
|
|
Senator Orrin G. Hatch |
|
|
Senator Patrick J. Leahy |
|
The Text of the Letter
August 1, 1998
Dear Representative/Senator X:
We, the undersigned, are a group of the nation's leading scientists and technologists in computer and network security with (collectively) hundreds of years of service in academia, industry and government. We are writing to express our profound concerns about both versions of H.R. 2281, the Digital Millennium Act. If passed in anything similar to its present form, H.R. 2281 has the potential to imperil computer systems and networks throughout the United States, criminalize many current university courses and research in information security, and severely disrupt a growing American industry in information security technology. The result would be grave damage to the U.S. economy and to national security. We recently became aware of provisions of this legislation, and we are now seeking to have H.R. 2281 recast to address our concerns, or prevented from being passed into law.
The growing use of network-based information sources does indeed create new opportunities that require updated protections. As producers ourselves of articles, books and software, we are in favor of appropriate copyright regulations. However, H.R. 2281 takes an approach that has damaging side-effects: rather than criminalizing inappropriate actions, it would restrict technology and techniques that have legitimate and vital uses in information security, such as reverse-engineering. By analogy, the approach taken in 2281 is akin to banning the development and sale of automobiles to curtail drunk driving, or criminalization of the sale of paper and ink to prevent the possibility of libel. While sometimes of potential use to infringers, most information security-related technologies are also essential for security practitioners to maintain the protection of the public. Ironically, the provisions of H.R. 2281 may actually hinder researchers in developing and deploying future copyright protection technologies.
We believe that the damage that would be wrought by H.R. 2281 is unintentional. For instance, by amending H.R. 2281 to permit encryption research, the Commerce Committee evidenced recognition of the great importance of that sub-field of research. However, their version of the bill fails to further recognize that encryption research is simply one aspect of security research, and that research is different from actual practice. While that version of H.R. 2281 may exempt encryption research, it still criminalizes other crucial techniques used in security research and practice.
Here are four examples of how security practice and research consists of much more than encryption research and depends on technologies and techniques that H.R. 2281 would prohibit:
- When a new computer virus is discovered, it is necessary to reverse-engineer the programs that are affected to discover how the virus spreads, how to remove it to disinfect the programs, and how to build defenses against future encounters with the same virus. However, H.R. 2281 only allows reverse engineering for the purposes of interoperability. This legislation would thus criminalize anti-virus efforts because they include examination of copyrighted code for other than the "sole purpose" of interoperability. Furthermore, it would criminalize the development, refinement, and sale of any software tools that would make such virus analysis more effective.
- Penetration analysis is a time-tested method of examining networks and computers for unnoticed security flaws. Regularly used by major accounting firms, government agencies, and independent consultants in assessing security, penetration analysis is the practice of breaking into a system to see if it resists attack. Because penetration analysis is not encryption research, H.R. 2281 might criminalize the teaching, the performance, and the development of supporting technology for many forms of this valuable approach to security research and practice.
- Several universities offer detailed coursework in software disassembly, reverse-engineering, penetration analysis, and related fields as a means of training information security professionals. This is not done to violate the property rights of any software owners but to provide an appropriate education in an area of critical national need; this is similar to medical students learning dissection and anatomy on real bodies to hone fundamental skills. H.R. 2281 could be interpreted as prohibiting such education, labeling it as "trafficking in certain technologies... that can be used to circumvent a technological protection measure."
- Major vendors are often unable (or unwilling) to adequately test mass-market software packages. When these packages are released into the marketplace, they are adopted by thousands of businesses. With the significant emphasis on cost-cutting and interoperability, these "COTS" (commercial, off-the-shelf) packages are also widely adopted by U.S. government agencies and the military. Upon release, these packages are intensely scrutinized by hackers, spies, and criminals throughout the world as they search for flaws they can exploit. The same packages are also examined by hundreds of computer users, searching for flaws so as to protect their own systems. When these "good guys" find flaws, they report them to the vendors and the user community so that the flaws can be fixed. While real criminals will not be dissuaded, H.R. 2281, in any of its forms, will almost certainly restrict those who wish to search and report flaws in "good faith."
We are law-abiding citizens who work in a leading-edge area of science and technology; we are not seeking to infringe others' valid economic interests protected by copyright. However, to advance the state of the art, it is necessary for us to have freedom of inquiry and experimentation. It is essential that we be able to freely conduct security research so that stronger and more robust technology protection measures will be developed. Thereafter, professionals need the freedom to apply the results of our research to protect the interests of copyright owners, the privacy of citizens, and the security of U.S. business and government.
We urge Congress to reconsider H.R. 2281 -- both the version passed by the Committee on the Judiciary and the Commerce Committee. We believe the best approach is to criminalize inappropriate behavior and intent, and not ban technology with multiple uses in this fast-moving field of critical, national importance. If such a reconsideration is not possible, we strongly recommend that the bill not be passed this legislative session. Several of us are willing to assist Congress in developing an appropriate replacement or modification of the legislation, if asked.
(N.B. Titles. affiliations and city of residence below are provided for identification only; the material presented in this letter is the personal and professional opinion of the people listed, and not necessarily the official position of their employers or organizations.)
Eugene H. Spafford, Ph.D., FACM
Professor of Computer Sciences
Director, Center for Education and Research in
Information Assurance and Security (CERIAS)
Director, the COAST Laboratory
Purdue University
West Lafayette, IN 47907-1398
(765) 494-7825
<spaf@cerias.purdue.edu>
Co-Signers
|
Ronald L. Rivest, Ph.D.
|
Peter S. Browne
|
|
Howard O. Halpin III
|
Peter J. Denning, PhD, FACM, FIEEE, FAAAS
|
|
Lance J. Hoffman, Ph. D., FACM
|
Thomas A. Berson, Ph.D.
|
|
Joan Feigenbaum, PhD
|
Andrew W. Appel, Ph.D., FACM
|
|
Keith A. Marzullo, Ph.D.
|
William J. Cook
|
|
Daniel E. Geer, Jr., Sc.D.
|
Virgil D. Gligor, Ph.D.
|
|
J. Douglas Tygar, PhD
|
Kevin S. McCurley, Ph.D.
|
|
Dr. J. Thomas Haigh, Ph.D.
|
Ross Stapleton-Gray, Ph.D.
|
|
Edward W. Felten, Ph.D.
|
Bruce Schneier
|
|
David P. Maher, Ph.D.
|
Bennet S. Yee, PhD
|
|
Karen F. Worstell
|
Michael Merritt, PhD
|
|
Stuart Haber, Ph.D.
|
Jack V. Leifel
|
|
Gary Garb,
|
Jonathan K. Millen, Ph.D.
|
|
Susan Swope, CISSP
|
Barbara J. Pease
|
|
Hilary H. Hosmer
|
Michael K. Reiter, Ph.D.
|
|
Jonathan Trostle, PhD
|
John J. Kinyon
|
|
Becky Bace
|
Douglas R. Steinbaum
|
|
James Cannady
|
Julie L. Connolly
|
|
Daylan Darby
|
Joseph C. Konczal
|
|
William Hill
|
Daniel Thomas Grove
|
|
Steven W. Lodin
|
Robert H. Bagwill
|
|
Roger A. Safian
|
Carl M. Ellison
|
|
David R. Campbell, CNE
|
Puck-Fai
|
|
Amgad Fayad
|
David Wagner
|
