Association of Computing Machinery
U.S. Public Policy Office
666 Pennsylvania Avenue SE
Suite 302b
Washington, D.C. 20003, USA

U.S. Department of Commerce
National Telecommunications and Information Administration
14O1 Constitution Ave., N.W.
Washington, D.C. 20230

Response to the Request for Comments on the Digital Millennium Copyright Act (DMCA), 64 Federal Register 28802:

I. Introduction

The Association for Computing Machinery is America's first educational and scientific computing society a critical mass of computer scientists in education, industry, and government. ACM is pleased Congress provided an exception to the circumvention-of-access-control provision.

Section 1201(g) is a positive development, but it still does not provide adequate exceptions to enable encryption research exceptions. We know that Congress shares ACM's concerns about computer security and our desire to encourage the development of technologies, such as encryption, that contribute to enhanced security. However, in its present form section 1202 (g) will have the unfortunate effect of stifling encryption and computer security research, while failing to advance either copyright protection or the economic concerns behind copyright protection.

Although insufficient time has passed to collect significant evidence, section 1202 (g) is potentially counterproductive for encryption research; consequently, such research could be unreasonable restricted. Some of the section's definitions and requirements do not reflect the realities of encryption research and unreasonably restrict research.

ACM has a strong interest in intellectual property issues. ACM publishes a large number of journals, magazines and newsletters. Our digital library is a pioneering effort at electronic publishing. Our members are authors, producers and users of copyrighted materials. The ACM's code of ethics includes a provision to honor copyrights and protect the integrity of intellectual property in general. (See the ACM Code of Ethics 1.5 and 1.6.) These ethical standards are upheld by the encryption research community.

II. Legal Backdrop of the DMCA

The Commerce Department may be correct in thinking that the interests of the digital economy will be furthered by widespread acceptance of the WIPO Copyright Treaty in the international community. This treaty establishes several important international norms for applying copyright law in the digital environment. International consensus on these norms should aid the growth of the global digital economy. However, the United States copyright law was already in compliance with the World Intellectual Property Organization Copyright Treaty, barring one minor provision. Due to previously existing U.S. copyright law, the DMCA is largely unnecessary; it also has significant unnecessary negative effects. The DMCA does not match up well with the needs of the digital economy.

III. DMCA's effects on encryption research

Because of the nature of encryption research, the maturity of the field, the pace of deployed technology, and the enforcement of the DMCA to date, there is insufficient evidence to comment in depth on any of the three questions posed in section 1201(g)(5). It may require several years of experience before meaningful comment can be made on the effect of 1202 (g). During those years, there may well be a chilling effect on encryption research. Further, we are concerned that Congress may be unwilling to revisit these provisions in several years.

We observe that the phrasing of elements of the bill are vague and may inhibit legitimate acts of research, and restricts historical encryption research activities. In particular:

* Section 1201(g)(1)(A) does not include activities involving the examination of the encryption to determine its strength -- a key element in understanding the potential risk of exposure for anyone using the algorithm.

* Section 1201(g)(1)(B) fails to include encryption included in hardware devices that may operate using methods not expressly involving mathematical algorithms. For example, some forms of encryption performed on analog signals (e.g., voice) may be based on algorithms that are not adequately described in this definition.

* Section 1201(g)(2)(B) mandates a "good faith effort" without adequate definition as to what that means. Further, if a vendor fails to grant permission, perhaps because the product being examined is defective or weak and research would result in embarrassing revelations, or cases of where the vendor is no longer in business or may be unknown to the examiner, the law makes such research activities illegal. This is despite the clear public good that may be achieved through such research.

* Section 1201(g)(3)(A) defines a potentially conflicting set of parameters. Most forms of dissemination to the public (in the case of alerting them to weak controls) and to security professionals may also lead to exposure to elements of the public who may use this information to exploit the weaknesses. In most cases, these two issues will conflict and interact in manners unforeseen by the researcher.

* Section 1201 (g)(3)(B) dictates that the researcher be trained in encryption technology. However, historically, many great cryptographers are self-taught, or learn their craft through precisely the activities regulated by this bill (learning how encryption works, and doesn't work, by examining existing methods).

* Section 1201 (g)(3)(C) requires that the researcher provide documentation and results of his or her research to the vendor of the encryption technology. This may result in a potential loss of patentability of any invention resulting from the researcher, or loss of trade secret status of new methods developed by the research. Further, if the vendor is outside the United States, or is a foreign-owned entity, then such reporting may be in violation of the government's restrictive export control laws.

As an indication that one of the potential problems with Section 1201(g)(2)(B) and Section 1201(g)(3)(A) may, in fact, be realized, we note one of many recent incidents as a representative example. A hobbyist security group by the name of cDc, produced and released in July 1999 a software artifact they named "BackOrifice 2000." This program allows users to surreptitiously take control of computers running any version of the popular Microsoft Windows operating system (Win 95, 98, NT, and 2000). This program was developed using research into the encryption and putative security measures present in these systems. The release of this software has helped raise the awareness of the many security weaknesses present in these Microsoft products. However, spokespeople for Microsoft continue to maintain that there are no weaknessesin their software, and that the only purpose of this software is for malicious ends. This is disingenuous and would lead us to believe that they would not grant permission for this research had it been sought. Further, it presents a clear conflict as to the end result of the public release of the code (cf. section 1201(g)(3)(A) ). It is obvious that the potential exists for some vendors to label research as "not related to security" or "only with malicious intent" in an attempt to quash inquiries that might lead to public comment and embarrassment.

IV. Conclusion

It is our continuing belief that there exist appropriate protections in law for copyright other than those embodied in the sections of the DMCA regarding technological means. At the same time, section 1201(g) is vague, conflicting, and contrary to the public interest. Section 1202 (g) could have a negative impact on research that is critical for computer security. We would encourage Congress to consider repealing or modification of this provision and related sections of the law. The guiding principle behind such a revision should be that the infringement itself is the criminal act, not the development, study, or practice of technology that may involve protections of copyrighted works.