Transcript TOWARD A MORE SENSIBLE WAY TO REGULATE …

TOWARDS MORE SENSIBLE
ANTI-CIRCUMVENTION
REGULATIONS
Pamela Samuelson, UC Berkeley,
Financial Cryptography ’00
February 21, 2000
2/21/00
Financial Cryptography '00
1
OVERVIEW OF TALK
• Origins of new legal regulations concerning
circumvention of technical protection
systems
• Overview of act-of-circumvention and antidevice rules
• Why these rules are troublesome
• Possible paths to rectifying the problems
2/21/00
Financial Cryptography '00
2
CIRCUMVENTION IN
CONTEXT
• Before a group of cryptographers, it is wise to
recognize that this community regards
circumventing TPS and making tools to
circumvent TPS as natural and good (can’t
improve security without trying to break it)
• But now that other industries are using encryption,
they have different perspectives
• Hollywood, in particular, likens circumvention to
“breaking & entering,” and software to do this as
“burglars’ tools”
2/21/00
Financial Cryptography '00
3
WHY ANTICIRCUMVENTION REGS?
• U.S. “White Paper” on Intellectual Property & the
NII (1995) (its author = former copyright lobbyist)
• Proposed to outlaw tools (sw or hw) whose
“primary purpose or effect” was to bypass TPS
used by copyright owners to protect their works
• Nearly identical provision proposed for
international treaty
• Copyright industries were strong supporters of
Clinton; stronger copyright laws as quid pro quo
2/21/00
Financial Cryptography '00
4
MORE ON WHY
• White Paper anticipated global market for
digital copyrighted works
• TPS to overcome vulnerability to “piracy”
• Need for legal reinforcement for TPS to
outlaw circumvention/piracy-enabling tools
• “Not unprecedented” (DAT law, satellite
broadcasting “black-box” decoders)
2/21/00
Financial Cryptography '00
5
DEVELOPMENTS IN ‘95-’96
• WP legislation was highly controversial
• Anti-circumvention only 1 of several problems
(most attention to ISP liability)
• Equipment mfrs: unfair to hold responsible for
what users do; can’t respond to all TPS; need for
exceptions
• So broad, NSA could have been shut down
(because they make tools to circumvent TPS &
virtually all content “sniffed” is copyrighted)
2/21/00
Financial Cryptography '00
6
WIPO DEVELOPMENTS
• Diplomatic conference at the World Intellectual
Property Organization in Geneva in Dec. 1996
• Draft treaty contained variant on US a/c proposal
• A/c provision was highly controversial: worries
about effect on public domain, fair use,
technological development
• Compromise in final treaties: “adequate”
protection and “effective” remedies vs.
circumvention of TPS
2/21/00
Financial Cryptography '00
7
POST-WIPO EVENTS
• Post-WIPO clash of titans over ISP liability:
Hollywood v. telcos/ISPs
• Compromise on ISP issue (“safe harbors”)
broke logjam in March 1998
• Political capital largely spent on ISP issue
• Some compromise as to anti-circumvention
regs in DMCA, but not as to tools provision
• US pushing other countries to adopt its rules
2/21/00
Financial Cryptography '00
8
ACT-OF-CIRCUMVENTION
• Treaty so vague that legislation not needed in US,
but even if so, only as to circumvention
• Campbell-Boucher bill: proposed to outlaw
circumvention of TPS to enable copyright
infringement
• MPAA: wanted all circumvention outlawed
• Compromise in DMCA: illegal to circumvent
access control, 17 U.S.C. s. 1201(a)(1)
• 2 year moratorium; LOC study; 7 exceptions
2/21/00
Financial Cryptography '00
9
EXCEPTIONS TO 1201(a)(1)
• Legitimate law enforcement & national
security purposes
• Reverse engineering for interoperability
• Encryption research and computer security
testing
• Privacy protection & parental control
• Nonprofit “shopping privilege”
2/21/00
Financial Cryptography '00
10
ANTI-DEVICE PROVISIONS
• Illegal to “manufacture, import, offer to
public, provide or otherwise traffic” in
• Any “technology, product, service, device,
[or] component”
• If primarily designed or produced to
circumvent TPS, if only limited commercial
purpose other than to circumvent TPS, or if
marketed for circumvention uses
2/21/00
Financial Cryptography '00
11
MORE ON DEVICE RULES
• 1201(a)(2)--devices to circumvent effective
access controls
• 1201(b)(1)--devices to circumvent effective
controls protecting right of cop. owners
• Actual & statutory damages + injunctions
• Felony provisions if willful & for profit
• MPAA v. Reimerdes 1st civil case
2/21/00
Financial Cryptography '00
12
MPAA v. REIMERDES
• Injunction vs. posting of DeCSS on websites or
otherwise making it available
• CSS is effective access control for DVDs
• DeCSS circumvents it & has no other
commercially significant purpose
• Lack of evidence for Linux compatibility
argument
• Besides, 1201(f) only protects interoperation with
programs, not “data” on DVD
2/21/00
Financial Cryptography '00
13
DVD-CCA v. McLAUGHLIN
• Trade secret misappropriation case
• Not just vs. posting, but also vs. linking
• CSS = proprietary information; DVD-CCA took
reasonable steps to maintain secret
• Inference: someone must have violated clickwrap
license forbidding reverse engineering
• Even though DeCSS on web for 4 months, not to
enjoin would encourage posting TS on Web
• Judge upset by “boasting” about disrespect for law
2/21/00
Financial Cryptography '00
14
IMPLICATIONS OF DVD-CCA
• Anti-reverse engineering clauses are common in
software licenses; enforcement worrisome
• Willingness to enforce and treat information
obtained through reverse engineering as trade
secret also worrisome
• Willingness to enjoin information that has been
public for several months may be error
• “Fruit of poisonous tree” rationale (judge knows
Johansen didn’t reverse engineer, nor did many
posters, yet held as trade secret misappropriators)
2/21/00
Financial Cryptography '00
15
CURIOUS THINGS ABOUT
1201
• Only 3 exceptions to 1201(a)(1) explicitly
allow building tools
• Only interoperability exception limits both
anti-device rules
• Did Congress mean to allow circumvention
to make fair use, yet make it illegal to make
tools needed to accomplish? (Ha! Ha!)
• LOC to study only act, not device rules
2/21/00
Financial Cryptography '00
16
PROBLEMS WITH A/C REGS
• Legitimate purpose circumventions
– existing exceptions overly narrow
– need for general purpose exception
– clarify that fair use circumvention is OK
• “Dual use” technologies
– tools to enable legitimate uses
– how device rules could be narrowed
• Copyright-centric regulations
2/21/00
Financial Cryptography '00
17
EXCEPTIONS TOO NARROW
• Interoperability: not just programs; other
reverse engineering may be legitimate
• Encryption and computer security research:
– no authorization and expert requirements
– OK to make tools
– less onerous rules on disseminating results
• Privacy exception: Windows 2000
hypothetical (see BTLJ paper)
2/21/00
Financial Cryptography '00
18
A GENERAL PURPOSE
EXCEPTION?
• Need for “or other legitimate purpose”
exception to access control rule
• Examples of other legitimate acts:
– if reasonable grounds to believe infringing copy
or computer virus inside TPS
– illegitimate invocation of “technical self-help”
• Courts able to tell difference between
legitimate & illegitimate acts
2/21/00
Financial Cryptography '00
19
DUAL USE TECHNOLOGIES
• Circumvention tools are not burglars’ tools
• Ways to narrow rules:
– substantial noninfringing use standard
– intent/knowledge/injury/infringement requirement
– commercially significant cf. apparent legitimate
purpose (freeware should not be vulnerable)
– technology-specific (e.g., circumvention of SCMS)
• Think through relation between range of
legitimate circumventions and availability of tools
(if X is lawful, tool to do X should be OK)
2/21/00
Financial Cryptography '00
20
COPYRIGHT-CENTRICITY
• Encryption protects more than commercial
copyrighted products (e.g., private personal
communications, trade secret/confidential business
information, e-cash)
• Circumvention of encrypted information is a more
general problem (sometimes legitimate, sometimes
not)
• So is the availability of circumvention technology
• Would suggest the need for a general law
2/21/00
Financial Cryptography '00
21
UNINTENDED
CONSEQUENCES?
• Copyright law protects “original works of
authorship” from moment of 1st fixation
• Private email is copyrighted, so are business
documents
• If encrypt to control access, circumvention would
be illegal under 1201(a)(1), even if legitimate
reason (e.g., employer has reason to believe
contents are pornographic)
• Less clear 1201(a)(1) applies to e-cash (although
circumvention a problem here too)
2/21/00
Financial Cryptography '00
22
UNINTENDED
CONSEQUENCES?
• X makes software that circumvents Y’s encryption
system
• Z is a copyright owner who decides to use Y’s
encryption system to protect digital pictures
• Does X’s tool then become illegal?
• Can Y sue X? Can Z sue X? What harm has X’s
software done to Y or Z?
• 1201 (a)(2) and (b)(1) does not require any
underlying infringement; mere potential is enough
2/21/00
Financial Cryptography '00
23
WAYS TO CHANGE RULES
• Common law interpretation (some judges
will stretch existing exceptions)
• Legislative amendments to 1201
– broaden encryption/computer security
exceptions
– general purpose exception
– narrow tools provision
• Broadened LOC studies/rulemaking
2/21/00
Financial Cryptography '00
24
LIBRARY OF CONGRESS
STUDY
• Main focus: consider impact of act-ofcircumvention rules on fair use and other
noninfringing uses
• LOC can issue rules exempting works or user
groups from act-of-circumvention rules
• Need for study of impact of anti-device rules
because overbroad and contradictory to other
aspects of 1201
• Potential for deleterious consequences (e.g.,
“strike suits” & “chilling effects”)
2/21/00
Financial Cryptography '00
25
CONCLUSION
• Copyright industries intend to exercise substantial
control over encryption policy
• They may have a myopic perspective (but they
think cryptographers are myopic)
• Good news is that encryption research/computer
security testing is exempt in US (but not in EU)
• Bad news is that the US is promoting overbroad
anti-device rules outside US
• 1201 unlikely to be repealed, but could be better &
you can help make it so
2/21/00
Financial Cryptography '00
26