James Delahunty
15 Apr 2006 14:25
The Electronic Frontier Foundation (EFF) is continuing its excellent work with the publication of its latest article, "Unintended Consequences: Seven Years under the DMCA". It is a collection of real-life examples of how the Digital Millennium Copyright Act (DMCA) has been mis-used in the United States to chill free expression and scientific research, jeopardize fair-use and impede competition and innovation. The article succeeds in proving that the DMCA is not being used as Congress had intended it to be.
Here are some extracts of the examples given by the Electronic Frontier Foundation...
DMCA Delays Disclosure of Sony-BMG "Rootkit" Vulnerability
J. Alex Halderman, a graduate student at Princeton University, discovered the existence of several security vulnerabilities in the CD copy-protection software on dozens of Sony-BMG titles. He delayed publishing his discovery for several weeks while consulting with lawyers in order to avoid DMCA pitfalls. This left millions of music fans at risk longer than necessary.5 The security flaws inherent in Sony-BMG's "rootkit" copy-protection software were subsequently publicized by another researcher who was apparently unaware of the legal risks created by the DMCA.
Security researchers had sought a DMCA exemption in 2003 in order to facilitate research on dangerous DRM systems like the Sony-BMG rootkit, but their request was denied by the U.S. Copyright Office.
Cyber-Security Czar Notes Chill on Research
Speaking at MIT in October 2002, White House Cyber Security Chief Richard Clarke called for DMCA reform, noting his concern that the DMCA had been used to chill legitimate computer security research. The Boston Globe quoted Clarke as saying, "I think a lot of people didn't realize that it would have this potential chilling effect on vulnerability research."
Professor Felten's Research Team Threatened
In September 2000, a multi-industry group known as the Secure Digital Music Initiative (SDMI) issued a public challenge encouraging skilled technologists to try to defeat certain watermarking technologies intended to protect digital music. Princeton computer science professor Edward Felten and a team of researchers at Princeton, Rice, and Xerox took up the challenge and succeeded in removing the watermarks.
When the team tried to present their results at an academic conference, however, SDMI representatives threatened the researchers with liability under the DMCA. The threat letter was also delivered to the researchers' employers and the conference organizers. After extensive discussions with counsel, the researchers grudgingly withdrew their paper from the conference. The threat was ultimately withdrawn and a portion of the research was published at a subsequent conference, but only after the researchers filed a lawsuit.
After enduring this experience, at least one of the researchers involved has decided to forgo further research efforts in this field.
SunnComm Threatens Grad Student
In October 2003, a Princeton graduate student named J. Alex Halderman was threatened with a DMCA lawsuit after publishing a report documenting weaknesses in a CD copy-protection technology developed by SunnComm. Halderman revealed that merely holding down the shift key on a Windows PC would render SunnComm's copy protection technology ineffective. Furious company executives then threatened legal action.
The company quickly retreated from its threats in the face of public outcry and negative press attention. Although Halderman was spared, the controversy again reminded security researchers of their vulnerability to DMCA threats for simply publishing the results of their research.
Hewlett Packard Threatens SNOsoft
Hewlett-Packard resorted to DMCA threats when researchers published a security flaw in HP's Tru64 UNIX operating system. The researchers, a loosely-organized collective known as Secure Network Operations ("SNOsoft"), received the DMCA threat after releasing software in July 2002 that demonstrated vulnerabilities that HP had been aware of for some time, but had not bothered to fix.
After the DMCA threat received widespread press attention, HP ultimately withdrew the threat. Security researchers received the message, however-publish vulnerability research at your own risk.
Blackboard Threatens Security Researchers
In April 2003, educational software company Blackboard Inc. used a DMCA threat to stop the presentation of research on security vulnerabilities in its products at the InterzOne II conference in Atlanta. Students Billy Hoffman and Virgil Griffith were scheduled to present their research on security flaws in the Blackboard ID card system used by university campus security systems but were blocked shortly before the talk by a cease-and-desist letter invoking the DMCA.
Blackboard obtained a temporary restraining order against the students and the conference organizers at a secret "ex parte" hearing the day before the conference began, giving the students and conference organizer no opportunity to appear in court or challenge the order before the scheduled presentation. Despite the rhetoric in its initial cease and desist letter, Blackboard's lawsuit did not mention the DMCA. The invocation in the original cease-and-desist letter, however, underscores the way the statute has been used to chill security research.
Xbox Hack Book Dropped by Publisher
In 2003, U.S. publisher John Wiley & Sons dropped plans to publish a book by security researcher Andrew "Bunnie" Huang, citing DMCA liability concerns. Wiley had commissioned Huang to write a book that described the security flaws in the Microsoft Xbox game console, flaws Huang had discovered as part of his doctoral research at M.I.T.
Following Microsoft's legal action against a vendor of Xbox "mod chips" in early 2003, and the music industry's 2001 DMCA threats against Professor Felten's research team, Wiley dropped the book for fear that the book might be treated as a "circumvention device" under the DMCA. Huang's initial attempt to self-publish was thwarted after his online shopping cart provider also withdrew, citing DMCA concerns.
After several months of negotiations, Huang eventually self-published the book in mid-2003. After extensive legal consultations, Huang was able to get the book published by No Starch Press.