Re: Criminalizing crypto criticism
On Tue, 31 Jul 2001, Rick Smith at Secure Computing wrote: > There are probably enough "cryptography researchers" out there that even a > large vendor won't feel tempted to harass them all proactively. All they have to do is make a messy example out of one or two. (It also helps if you can get a prosecutor that is working on a promotion to help out.) [EMAIL PROTECTED] | Note to AOL users: for a quick shortcut to reply Alan Olsen| to my mail, just hit the ctrl, alt and del keys. "All power is derived from the barrel of a gnu." - Mao Tse Stallman - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
At 01:13 PM 7/27/2001, Steven M. Bellovin wrote: >It's certainly not broad enough -- it protects "encryption" research, >and the definition of "encryption" in the law is meant to cover just >that, not "cryptography". And the good-faith effort to get permission >is really an invitation to harrassment, since you don't have to >actually get permission, merely seek it. Hmmm. What would happen if every "legitimate" cryptography researcher routinely transmitted an announcement to every vendor of copy protection telling them that the researcher was going to be 'researching' the vendor's products? Research is such a wonderful term. I suppose I'm doing some sort of "cryptography research" just by looking at the bits that encode some sort of protected content. I must guiltily confess that I've been doing security long enough that I look with a skeptical eye at every "security implementation" I see, even if it's just a security camera or a string of barbed wire. There are probably enough "cryptography researchers" out there that even a large vendor won't feel tempted to harass them all proactively. Rick. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
On Friday 27 July 2001 11:13, Steven M. Bellovin wrote: > In message <[EMAIL PROTECTED]>, Declan McCullagh writes: > >One of those -- and you can thank groups like ACM for this, if my > >legislative memory is correct -- explicitly permits encryption > >research. You can argue fairly persuasively that it's not broad > >enough, and certainly 2600 found in the DeCSS case that the judge > >wasn't convinced by their arguments, but at least it's a shield of > >sorts. See below. > > It's certainly not broad enough -- it protects "encryption" research, > and the definition of "encryption" in the law is meant to cover just > that, not "cryptography". And the good-faith effort to get permission > is really an invitation to harrassment, since you don't have to > actually get permission, merely seek it. Even worse is if the "encryption" is in bad faith to begin with. (i.e. They know it is broken and/or worthless, but don't want the general public to find out.) Imagine some of the usual snake-oil cryto-schemes applied to copyrighted material. Then imagine that they use the same bunch of lawyers as the Scientologists. This could work out to be a great money-making scam! Invent a bogus copy protection scheme. Con a bunch of suckers to buy it for their products. Sue anyone who breaks it or tries to expose you as a fraud for damages. I mean if they can go after people for breaking things that use ROT-13 (eBooks) and 22 bit encryption (or whatever CSS actually uses), then you can go after just about anyone who threatens your business model. I guess we *do* have the best government money can buy. We just were not the ones writing the checks... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
> Much of the hysteria regarding the DMCA's supposed ability to quash free > speech by cryptographic researchers is being whipped up by opponents > to the DMCA who are misrepresenting the DMCA in a calculated fashion in > order to promote opposition. The anonymous poster's legal analysis was not particularly novel. It states that the "exemptions" in the DMCA actually cover the things that they were supposedly intended to cover. That would be a refreshing change if it were true, but the law is full of weasel words and exemptions to the exemptions. Only accredited researchers, not cypherpunks, can do research, for example. And you're only exempt if you tell the company first, so they know to sue you before you do the research, rather than after the results are leaking out to the public. Neither my opinion nor the poster's opinion controls, though. What matters is what the judges will say, and how expensive it is to ordinary researchers to find out. In the 2600 case, what the judge said is that even if Jon Johansen might have been able to reverse- engineer DVD players under an exemption (an issue that he didn't decide), 2600 Magazine was unable, under the statute, to publish even *A LINK* to Jon's results. The judge swept aside all the clauses like: > 1201(c)(4): >Nothing in this section shall enlarge or diminish any rights of >free speech or the press for activities using consumer electronics, >telecommunications, or computing products. > > Clearly publication of cryptographic results is a fundamental part of > free speech and will not be infringed by the DMCA. The other side argued in the 2600 appeal that this was a standard "savings clause" inserted in the legislation and was not intended to mean anything. It goes like this: either the law is constitutional or it isn't. If it is constitutional, this clause is inoperative, since clearly those Constitutional rights weren't diminished. If the law violates the Constitution, then the Constitution, not the statute, controls what rights the public has; again this clause doesn't. The judge agreed with the government and Hollywood that it was clearly put in there to "buy off" some opponents of the DMCA and didn't have any legal effect. The only minor issue is that THOSE SUCKERS ACTUALLY BELIEVED IT, dropped their opposition, and let the DMCA become law. But that wasn't the judge's problem -- only the defendant's. > In fact the RIAA takes that same position now, as seen in > http://www.eff.org/Legal/Cases/Felten_v_RIAA/20010606_riaa_statement.html. Because the Felten case so clearly shows what's wrong with the DMCA, RIAA is desparately trying to convince the court that it need not, indeed cannot, make any decision in the Felten case. Therefore SDMI/RIAA is lying to the public and the court by saying that it never, *ever*, intended to sue or threaten. It was merely informing people about their rights, you see. They have moved to dismiss the case on the grounds that "we agree with the other side's legal analysis, so there's no issue for a court to decide." They only agree long enough to get out of that courtroom, then they'll find some way to be disagreeable again. The judge will decide whether to believe them or not; the papers are still being filed about that. > Princeton Professor Edward Felten and his research team were prevented > from presenting their results regarding flaws in SDMI at the Information > Hiding Workshop, based on a letter from the Recording Industry Association > of America which claimed that such publication would violate the DMCA. > In this case, the RIAA was mistaken about the application of the DMCA, > as the above analysis makes clear. Their mistakenness didn't prevent the RIAA from sending legal threats to every author of the Felten paper, every member of the conference committee that had decided to publish it, AND ALL OF THEIR BOSSES (one of whom, a US Navy commander, shamefully abandoned the soldier-under- fire who was reporting to him). It didn't prevent Adobe from getting its competitor Elcomsoft kicked off of four different spineless ISPs, by sending lawyer letters alleging copyright infringement TO THE ISP, when there was no copyright infringement going on. Mistakes in analysis, reconsidered a week later by Adobe, didn't prevent a US Attorney's office from bringing charges against Dmitry. Attorney General Ashcroft just announced that they're setting up a dozen more similar computer-and-copyright-prosecution task forces around the country -- none of which will have any practical experience with the DMCA yet. Their mistakes are your problem, not their problem, until YOU sue THEM. Will everyone in the infrastructure on whom you depend be as strong as you are in protecting your rights? After you lose your job, your Internet access, and your freedom of motion, because your scientific work threatened some lawyer-infested company's business model, if you have lots of spare money or raise lots of mo
Re: Criminalizing crypto criticism
Arnold Reinhold writes: > If you read the language carefully, you will see that 1201g only > permits *circumvention* as part of cryptographic research (and then > only under limited circumstances). There is nothing in the law that > allows publication of results. Not true. Look closely at http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: (note that the final colon is part of the URL). 1201(a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title. This is the basic provision which outlaws circumvention. 1201(g)(2): PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- [Various provisions, including making a good faith effort to get permission] And this is the provision which allows encryption research even when that involves circumvention. Neither of these addresses publication. This is possibly covered in the following: 1201(a)(2): No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that-- (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title; (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title. It is not at all clear that publishing a research result relating to a cryptographic problem in a copyright protecting technology would fall into any of these categories. First, such a publication is clearly not a "product, service, device, component, or part thereof". Conceivably it could be a "technology" although most cryptographic papers are a long way from an actual technology. Second, the primary purpose of such a publication is not to enable circumvention, but to advance the state of the art in science. Hence it is not covered by provision (a)(2)(A), and not by (B) or (C) either. Nevertheless if publication were to be interpreted as being covered by this provision, there is a further exception in 1201(g): 1201(g)(4): USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- (A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and (B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2). Again, this appears to be interpreted in the context of (A)(2) forbidding the actual construction of devices which are are developed, employed, and distributed. Even if we interpret (A)(2) to include cryptographic publications, however, the provision still applies. Note in particular the language in (B) which allows another person to verify the act of good faith encryption research. This is one of the main purposes of publication, to allow verification of the results by others. Hence publications which show cryptographic holes in deployed encryption systems are exempt. This provision also allows the distribution of circumvention software for legitimate research purposes. Note too the additional provision: 1201(c)(4): Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products. Clearly publication of cryptographic results is a fundamental part of free speech and will not be infringed by the DMCA. Much of the hysteria regarding the DMCA's supposed ability to quash free speech by cryptographic researchers is being whipped up by opponents to the DMCA who are misrepresenting the DMCA in a calculated fashion in order to promote opposition. Consider two recent cases. Dmitry Sklyarov of Russia has been arrested for violating the DMCA. Many DMCA opponents initially claimed that he
Re: Criminalizing crypto criticism
On Fri, Jul 27, 2001 at 06:36:53PM -0400, Arnold G. Reinhold wrote: [..] > > If you read the language carefully, you will see that 1201g only > permits *circumvention* as part of cryptographic research (and then > only under limited circumstances). There is nothing in the law that > allows publication of results. > > Even the recent Shamir, et. al. paper on RC4 and WEP could arguably > violate DMCA. WEP could be considered a TPM since it protects > copyrighted works (e.g. e-mail). More importantly RC4 could be used > in some other copy protection system that we don't know about Like an Adobe product- PDF uses RC4 for it's "password protection". Eric - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
At 1:56 AM -0400 7/27/2001, Declan McCullagh wrote: >On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote: >> With these great new laws, there is no longer any risk of being legally >> criticised for using even the most glaringly flawed cryptography >>-- just use it >> for Copy Protection, and TADA! Negative criticism magically disappears. >> Almost by definition. >> >> Flaws can only be exposed by those who won't show their work, >> or from anonymous sources, who nobody will trust without confirmation [...] >[...] >> We seem to be entering the twilight zone -- the end of an exciting, >> but brief era -- of public cryptography. > >The DMCA may be bad, but it's not *that* bad. It contains a broad >prohibition against circumvention ("No person shall circumvent a >technological measure that effectively controls access") and then has >a bunch of exceptions. > >One of those -- and you can thank groups like ACM for this, if my >legislative memory is correct -- explicitly permits encryption >research. You can argue fairly persuasively that it's not broad >enough, and certainly 2600 found in the DeCSS case that the judge >wasn't convinced by their arguments, but at least it's a shield of >sorts. See below. If you read the language carefully, you will see that 1201g only permits *circumvention* as part of cryptographic research (and then only under limited circumstances). There is nothing in the law that allows publication of results. Even the recent Shamir, et. al. paper on RC4 and WEP could arguably violate DMCA. WEP could be considered a TPM since it protects copyrighted works (e.g. e-mail). More importantly RC4 could be used in some other copy protection system that we don't know about -- it's use might even be a trade secret. There is simply no way to guarantee that a given cryptoanalytic result doesn't compromise some TPM. Even software that breaks Ceaser ciphers could be actionable. DCMA is *that* bad. Arnold Reinhold > >-Declan > >PS: Some background on Sklyarov case: >http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov > >PPS: Note you only get the exemption if you make "a good faith effort >to obtain authorization before the circumvention." Gotta love >Congress, eh? > > > >http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: > >`(g) ENCRYPTION RESEARCH- > >`(1) DEFINITIONS- For purposes of this subsection-- > >`(A) the term `encryption research' means activities necessary to >identify and analyze flaws and vulnerabilities of encryption >technologies applied to copyrighted works, if these activities are >conducted to advance the state of knowledge in the field of encryption >technology or to assist in the development of encryption products; and > >`(B) the term `encryption technology' means the scrambling and >descrambling of information using mathematical formulas or algorithms. > >`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the >provisions of subsection (a)(1)(A), it is not a violation of that >subsection for a person to circumvent a technological measure as >applied to a copy, phonorecord, performance, or display of a published >work in the course of an act of good faith encryption research if-- > >`(A) the person lawfully obtained the encrypted copy, phonorecord, >performance, or display of the published work; > >`(B) such act is necessary to conduct such encryption research; > >`(C) the person made a good faith effort to obtain authorization >before the circumvention; and > >`(D) such act does not constitute infringement under this title or a >violation of applicable law other than this section, including section >1030 of title 18 and those provisions of title 18 amended by the >Computer Fraud and Abuse Act of 1986. > >`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person >qualifies for the exemption under paragraph (2), the factors to be >considered shall include-- > >`(A) whether the information derived from the encryption research was >disseminated, and if so, whether it was disseminated in a manner >reasonably calculated to advance the state of knowledge or development >of encryption technology, versus whether it was disseminated in a >manner that facilitates infringement under this title or a violation >of applicable law other than this section, including a violation of >privacy or breach of security; > >`(B) whether the person is engaged in a legitimate course of study, is >employed, or is appropriately trained or experienced, in the field of >encryption technology; and > >`(C) whether the person provides the copyright owner of the work to >which the technological measure is applied with notice of the findings >and documentation of the research, and the time when such notice is >provided. > >`(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- >Notwithstanding the provisions of subsection (a)(2), it is not a >violation of that subsection for a person to-- > >`(A) develop and employ technological means to circumvent a
Re: Criminalizing crypto criticism
In message <[EMAIL PROTECTED]>, Declan McCullagh writes: > >One of those -- and you can thank groups like ACM for this, if my >legislative memory is correct -- explicitly permits encryption >research. You can argue fairly persuasively that it's not broad >enough, and certainly 2600 found in the DeCSS case that the judge >wasn't convinced by their arguments, but at least it's a shield of >sorts. See below. It's certainly not broad enough -- it protects "encryption" research, and the definition of "encryption" in the law is meant to cover just that, not "cryptography". And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
On Thu, Jul 26, 2001 at 10:53:02PM -0400, David Jablon wrote: > With these great new laws, there is no longer any risk of being legally > criticised for using even the most glaringly flawed cryptography -- just use it > for Copy Protection, and TADA! Negative criticism magically disappears. > Almost by definition. > > Flaws can only be exposed by those who won't show their work, > or from anonymous sources, who nobody will trust without confirmation [...] [...] > We seem to be entering the twilight zone -- the end of an exciting, > but brief era -- of public cryptography. The DMCA may be bad, but it's not *that* bad. It contains a broad prohibition against circumvention ("No person shall circumvent a technological measure that effectively controls access") and then has a bunch of exceptions. One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below. -Declan PS: Some background on Sklyarov case: http://www.politechbot.com/cgi-bin/politech.cgi?name=sklyarov PPS: Note you only get the exemption if you make "a good faith effort to obtain authorization before the circumvention." Gotta love Congress, eh? http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR: `(g) ENCRYPTION RESEARCH- `(1) DEFINITIONS- For purposes of this subsection-- `(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and `(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms. `(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if-- `(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work; `(B) such act is necessary to conduct such encryption research; `(C) the person made a good faith effort to obtain authorization before the circumvention; and `(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986. `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include-- `(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security; `(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and `(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided. `(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to-- `(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and `(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2). - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]