Docket No. 990428110-9110-01

Request for Comments on Section 1201(g) of the Digital Millennium Copyright Act

AGENCIES: The National Telecommunications and Information Administration,
United States Department of Commerce; and the United States Copyright Office,
Library of Congress

ACTION: Request for Public Comment

COMMENTS RECEIVED JULY 27, 1999




Emusic.com Incorporated
1991 Broadway, 2nd Floor
Redwood City, California 94063
Main: 650-216-0200
Fax: 650-556-9712
Web: http://www.emusic.com

July 26, 1999

Paula J. Bruening
Office of Chief Counsel
National Telecommunications and
Information Administration
Room 4713
U.S. Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230

Jesse M. Feder
Office of Policy and International Affairs
U.S. Copyright Office
Copyright GC/I&R
P.O. Box 70400, Southwest Station
Washington, D.C. 20024

Re: Request for Comments on Section 1201(g) of the Digital Millennium Copyright Act, Docket No. 990428110-9110-01

Dear Ms. Bruening and Mr. Feder:

EMusic.com welcomes this opportunity to submit comments on the impact that Section 1201(g) of the Digital Millennium Copyright Act, P.L. No. 105-304, 112 Stat. 2860 (October 28, 1998) ("DMCA"), will have on encryption research and the development of encryption technology. EMusic.com would like to focus, in particular, on the effect that Section 1201(g) will have an efforts to evaluate the effectiveness of industry-sponsored security and copyright management specifications that incorporate cryptography.

The Growing Importance of Industry-Sponsored Standards

One of the principal motivations behind the enactment of the DMCA was the recognition that a rapidly expanding amount of copyrighted content - be it text, video, audio, or otherwise - will be distributed in digital form. As the distribution of digital content proliferates, copyright owners will seek to develop methods of preventing unauthorized use of their content, such as the commercial distribution of unlicensed copies. Because most forms of digital media can be downloaded, stored, and replayed across an array of different devices, different industry sectors will likely seek to cooperate in the design and implementation of uniform specifications for copyright management systems (subject, of course, to the limitations imposed by the antitrust laws). Several of these initiatives are already underway.

The design and implementation of industry-sponsored copyright management systems has the potential to profoundly influence the market for digital media and the manner in which digital media are distributed. The choices that different industry sectors make with respect to these systems are likely to result in significant investments in new technologies and distribution channels. Moreover, these decisions will undoubtedly influence the options that are available to consumers, both in terms of the ease with which they will be able to access copyrighted content and the equipment that they will require to do so. A misguided decision about a particular copyright management system could result in unproductive investments and, worse, could retard the emergence of new markets for digital media.

For these reasons, EMusic.com believes it is vitally important that copyright management systems be subject to rigorous scrutiny prior to their widespread adoption by industry and consumers. Moreover, once in place, copyright management systems should continue to be subject to intensive, real-world challenges, so long as those challenges are not motivated by a desire to gain unauthorized access to, or engage in unauthorized uses of, copyrighted works. Legitimate evaluation and criticism of copyright management systems is the only surefire means of ensuring their effectiveness and vitality.

EMusic.com is therefore deeply concerned about the possibility that advocates of particular copyright management systems will use the anti-circumvention provisions of the DMCA to thwart or deter good-faith efforts to evaluate and publicize the vulnerabilities of those systems. While originally intended as a means of going after those who seek to circumvent cryptography-based access controls for illegitimate purposes, the anti-circumvention provisions could also be used as a weapon against those who seek to demonstrate the ineffectiveness of such controls for entirely legitimate reasons. If this were to be permitted, advocates of particular standards could use the DMCA to squelch opposition to that standard and to coerce industry and consumer acceptance of a standard that has not been subject to open testing.

Ambiguities in the Encryption Research Exception

Given the potential misuse of the anti-circumvention provisions of the DMCA, EMusic.com believe that it is extremely important that the encryption research exception set forth in Section 1201(g) be construed to permit individuals and companies to evaluate and publicize the vulnerabilities of copyright management systems, whether proposed or implemented. Unfortunately, however, Section 1201(g) contains several troubling ambiguities that could be seized upon by those who would seek to use the anti-circumvention provisions of the DMCA as a means of deterring legitimate evaluations. In particular, EMusic.com is concerned that:

· Under Section 1201(g)(2)(C), a person who intends to circumvent a "technological measure," as that term is used in the Act, must make "a good faith effort to obtain authorization before the circumvention," presumably from the owner of the underlying copyright. It is not clear whether attempting to obtain such consent and having the request denied would constitute such a "good faith effort." If not, the advocates of a particular security implementation could simply deny all requests from "outsiders" for authorization to test the implementation. That policy, especially if it is combined with aggressive legal threats and a policy of following up to see if the disapproved applicants have truly abandoned their testing plans, could seriously deter disclosure of any vulnerabilities that the technology might have. While there may be some situations in which it is possible to test the implementation in the context of uncopyrighted works or works to which the tester owns the copyright, there will be many situations in which it is only possible to test the implementation when it is applied to works that are copyrighted by others (for example, when the cryptography is used to establish a secure communications channel).

· Under Section 1201(g)(3)(A), one of the "factors" in determining one's qualification for the exception is whether "the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement" of copyrighted works.

This is without question the most troubling of the ambiguities in Section 1201(g). The chief problem is that it posits a false dichotomy: the dissemination of cryptographic research either advances the state of knowledge, or it facilitates infringement - but not both. In fact, the dissemination of information relating to flaws in cryptographic implementations can both advance the state of knowledge and, incidentally, facilitate infringement by those who have such an intent. Indeed, practically every computer security alert has two effects - it encourages computer users to fix a security hole while at the same time telling hackers that the hole exists. It is virtually impossible to distinguish between these two effects, and equally impossible for persons with legitimate intentions to know with any reasonable degree of certainty whether they will be accused of falling on the wrong side of this (non-existent) line. The effect of this uncertainty will be to deter persons who are seeking to make information available about specific weaknesses in cryptographic implementations, even when their intention is solely to draw attention to the deficiencies of a proposed standard.

· Under Section 1201(g)(3)(B), an additional "factor" to consider in determining eligibility for the encryption research exception is whether the person who performs the act of circumvention "is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology." If courts construe this factor too narrowly, the result could be to limit legitimate security evaluations to a relatively small community of academics and professional information security consultants. The information technology industry, however, has a rich tradition of individuals - often not associated with any corporation or organization, and often without any formal training - who seek to crack security implementations and publicly demonstrate their shortcomings. There is a large community of such individuals - sometimes referred to as "ethical hackers" - who engage in this activity not for any illegitimate purpose, but simply out of a belief that security implementations should be subject to open testing in real-world environments. This tradition has kept constant pressure on the industry to develop new and stronger security implementations, and has prevented bad security implementations from gaining widespread acceptance. It is a kind of Darwinian selection process that benefits industry and consumers as a whole.

When coupled with the ambiguity in Section 1201(g)(3)(A) about the manner in which the results of cryptographic research are disseminated, the result of these provisions could be to deter these kinds of individuals from engaging in open testing of security implementations and publicizing the results. There are many examples of security implementations whose vulnerabilities were first publicized by persons without any formal training or professional affiliation in the information security industry. While there is a superficial appeal to the argument that these security implementations would have had a longer shelf-life had their vulnerabilities not been revealed, in the long run, there is greater benefit from having those vulnerabilities revealed. This is particularly true when reliance on a particular security implementation could lead to significant industry and consumer investment in hardware and software devices that support that implementation.

An Illustration

It might be helpful to illustrate the foregoing concerns with a scenario that could, as they say, be "ripped from today's headlines." Although this scenario is greatly simplified, it amply demonstrates the problems that could result from an overly-restrictive interpretation of Section 1201(g).

A group of film studios and hardware manufacturers get together and establish a uniform copyright management specification for the distribution of digital video products. The specification controls the number of copies that can be made, the period during which the video can be watched, whether it can be watched on machines other than the viewer's, and other similar parameters. The specification incorporates encryption as a means of enforcing these controls. In this manner, the encryption used in the specification "effectively controls access" to a copyrighted work, and is therefore within the scope of the anti-circumvention provision, § 1201(a)(1).

In one variant of the scenario, a film studio that was not a part of the standards-setting group decides that the adoption of the specification will hinder the overall development of the digital video market, as the manner in which it controls use of the video is likely to deter most consumers from purchasing titles that are subject to those controls, as well as the hardware that is necessary to play them. The film studio is concerned that widespread industry commitment to this standard will delay the expansion of the digital video market that it believes is required to justify a switch to digital-only distribution mechanisms. For these reasons, it wants to demonstrate that the specification is flawed, in part because the encryption that it incorporates can be compromised. As a known critic of the specification, however, it cannot obtain the proprietary hardware and software that it would need to subject one of its own film titles to the controls, and test the specification on that basis. Therefore, it obtains a video that is subject to the controls in the open marketplace, and hires an information security expert to crack the encryption on which the controls are based. In order to promote industry opposition to the specification, the film studio publicizes its success in cracking the encryption and provides details of the manner in which it was able to do so.

In a second variant of the scenario, a technically-minded customer is opposed to the industry specification because of the controls that it imposes, because it requires consumers to buy new hardware, and because it will gradually render his vast collection of film titles recorded in another format obsolete. He starts a website to generate public opposition to the standard. Although he has no formal training in encryption technology and is not employed in that field, he manages to crack the encryption used in the specification. He publicizes his success on the website, providing specific details of the manner in which he was able to do so. It is his hope that the publicity surrounding his announcement, and the fact that a means of bypassing the controls is now public knowledge, will convince the industry to abandon the standard in favor of one that is more consumer-friendly. He does not use his ability to crack the encryption as a means of gaining unauthorized access to copyrighted content.

In both variants of the scenario, the industry association that developed the standard brings suit under Section 1203 of the DMCA, arguing that the circumvention of the encryption violated Section 1201(a). It also seeks criminal prosecution under Section 1204. With regard to the dissident film studio, it argues that the encryption research exception does not apply because the film studio did not make a "good faith effort to obtain authorization before the circumvention," § 1201(g)(2)(C), and because the film studio disseminated information about its successful circumvention of the encryption "in a manner that facilitate[d] infringement" of copyrighted works, § 1201(g)(3)(A). With regard to the activist consumer, the industry association further argues that the exception does not apply because the consumer is not "engaged in a legitimate course of study" or "employed trained or experienced in the field of encryption technology," § 1201(g)(3)(B).

If the industry association were to prevail in either one of these suits, the message would be clear: proponents of industry standards can use Section 1201 to squelch legitimate criticism and analysis of those standards, including criticism and analysis that is not in the least bit motivated by a desire to gain unauthorized access to copyrighted works. This threat would be felt by both companies and private individuals. Proponents of particular standards could use this threat to conceal the vulnerabilities of those standards and to encourage widespread industry and consumer acceptance of a standard that will ultimately be shown - by persons with less noble intentions - to be ineffective.

The public harms that would result from this "squelching effect" could be significant and long-lasting. In the scenario sketched out above, for example, the inability of companies and individuals to reveal the vulnerabilities of the digital video specification early on could lead to significant industry and consumer investment in hardware and software devices that support the specification. The shortcomings of the specification might only be revealed as it became evident that a large number of people were hacking around the controls in order to engage in unauthorized uses of protected content. As such persons are not generally inclined to publicize their successes in cracking security implementations, it might take some time for the weaknesses of the system to emerge. In the meantime, however, the industry may have made significant investments in devices that support the specification, thereby influencing consumer choices and shaping the structure of the market for the (allegedly) protected content. In the worst case, the slow demise of the specification as its weaknesses were revealed could require industry and consumers to invest in an entirely new standard, thereby starting the cycle all over again. Clearly, both industry and consumers - but mostly consumers - would have been better off if the vulnerabilities of the specification had been revealed early on by companies or persons whose only intention was to demonstrate the ineffectiveness of its security.

Recommendations

As this illustration demonstrates, there are compelling reasons to be concerned about the potentially detrimental impact of the anti-circumvention provisions of the DMCA and, in particular, about an overly-restrictive interpretation of Section 1201(g). EMusic.com believes that, in their report to Congress, NTIA and the Copyright Office should identify these concerns and ambiguities, and should propose specific interpretations of Section 1201(g) - if not outright legislative amendments - that would address these issues. In particular, the report should recommend that:

· Under Section 1201(g)(2)(C), the requirement of a "good faith effort" to obtain authorization for an attempted circumvention of a technological measure should not automatically preclude an individual from testing the technological measure if such authorization is denied, so long as the act of circumvention otherwise qualifies for the exception.

· Under Section 1201(g)(3)(A), the "dissemination" factor should be clarified so that an individual may benefit from the exception so long as he or she disseminates the results of his or her research without any apparent intention of facilitating infringement, as judged by the surrounding circumstances. In particular, the dissemination of information whose sole purpose is to criticize or reveal the shortcomings of a proposed or adopted standard should qualify the disseminator for the exception. Indeed, any other interpretation of Section 1201(g)(3)(A) would almost certainly violate the First Amendment.(1)

· Lastly, Section 1201(g)(3)(B) should be clarified so that the lack of formal training or employment in the area of information security is not an absolute bar to qualifying for the exception, so long as the act of circumvention otherwise qualifies for the exception.

EMusic.com greatly appreciates the opportunity to submit these comments on a matter of important public concern, and would be happy to meet with you and your respective offices to discuss these concerns in more detail.

Respectfully submitted,

Peter F. Harter
Vice President, Global Public Policy & Standards
EMusic.com, Inc.
 
 

*****



DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

LIBRARY OF CONGRESS

Copyright Office

[Docket No. 990428110-9110-01]

RIN 0660-ZA09

Request for Comments on Section 1201(g) of the Digital Millennium Copyright Act

COMMENTS OF

THE COMPUTER & COMMUNICATIONS INDUSTRY ASSOCIATION (CCIA)

The Computer & Communications Industry Association (CCIA) strongly supported ratification and implementation of the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances and Phonograms Treaty, both of which were intended to update the Berne Copyright Convention to improve protections for digital works such as computer software and compact disks. The WIPO Copyright Treaty affirms that computer programs and other digital works are due the full copyright subject matter protection under the Berne Convention. WIPO also clarifies transmission rights for copyrighted works in digital, electronic formats, and requires "adequate and effective" remedies to protect against the circumvention of anti-copying technologies and alteration or removal of electronic rights management information.

Following the adoption of WIPO by the treaty delegates, the Administration introduced implementing legislation in the 105th Congress. However, these bills, S. 1121 and H.R. 2281, went beyond the revisions necessary to conform American law to our treaty obligations and conferred broad new rights on the owners of copyrighted material. As introduced, these bills would have made it illegal for competitors to analyze operating systems or software platforms for the purpose of creating interoperable products. Computer scientists conducting encryption research and security testing would have also been in danger of running afoul of the law. In addition, online service providers could have been subject to broad liability for the actions of others engaging in copyright piracy utilizing their services, regardless of whether the service provider played any role or had any knowledge of such activity.

Working on behalf of its members, CCIA was actively involved throughout consideration of this legislation (the Digital Millennium Copyright Act (DMCA) (Pub. L. No. 105-304, 112 Stat. 2860 (Oct. 28, 1998)). In addition to working to limit the legislation's impact on the broad issues of service providers' liability and fair use, CCIA and other interested parties were able to preserve the practice of reverse engineering for interoperability purposes.

CCIA also spearheaded the effort leading to the exception for encryption research, the subject of this Request for Comments. We believed then, and continue to believe, that this language is essential to maintaining research and academic study in the field of cryptography. We also believe that the language as enacted must be interpreted to protect and encourage legitimate encryption research. If interpreted too strictly, the requirements of the Act could lead to unintended and detrimental consequences.

In its report on the DMCA, the Senate Judiciary Committee made clear that:

[t]he effectiveness of [technological copyright protection] measures depends in large part on the rapid and dynamic development of better technologies, including encryption-based technological protection measures. The development of encryption sciences requires, in part, ongoing research and testing activities by scientists of existing encryption methods, in order to build on those advances, thus promoting and advancing encryption technology generally.

[S. Rept. 105-190, p. 15]

Circumvention of technological protection measures, which (with some limited exceptions) is otherwise prohibited by the DMCA, is essential in the field of encryption research. In order to perform the research necessary to improve or learn about a computer security system, a researcher must often circumvent technological protection measures, such as encryption. As in the physical world, the only way to really know the strength and effectiveness of an electronic lock is by trying to break it. Circumvention of technological protection measures is a standard operating procedure for these researchers.

Section 1201(g) of the DMCA specifies that it is not a violation of the Act for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--

(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

(B) such act is necessary to conduct such encryption research;

(C) the person made a good faith effort to obtain authorization before the circumvention; and

(D) such act does not constitute infringement under this title or a violation of applicable law other than this section . . . ."

Of particular concern to CCIA and its members who conduct or benefit from legitimate encryption research is subsection (C), which requires a "good faith effort to obtain authorization" prior to circumventing an access control technology. If interpreted broadly, this clause could be very problematic to the research community.

In particular, the distinction between general encryption systems and copyright enforcement systems is not at all clear, and can be expected to become even less so in the future. A particular encryption algorithm or program may be put to a variety of uses, and there are likely to be numerous parties (hundreds or even thousands) using any given system (or aspect of a system) that an encryption researcher wishes to test for flaws and vulnerabilities. The Act could be interpreted to require the researcher to try to obtain permission from each one of them. Therefore, in many cases it may not be feasible, practical, or even possible for some researchers to make this "good faith effort."

For instance, some copyright protection schemes work by encrypting the copyrighted data or by requiring the user to authenticate to some trusted "license manager." However, these same - or similar - algorithms and protocols could be used for a wide range of other computer and communications security applications, including protection of sensitive user data (file and message encryption), access-control of computer systems or networks, secure financial transactions, etc. Some copyright protection measures discourage copying by embodying some of the sensitive user data in software that has been specially designed to resist reverse engineering and decompilation, but these same design techniques could be used to design more secure software for electronic commerce, distributed systems, and software license management. In order to make these (non-copyright protection) applications trustworthy enough to use commercially, the research and engineering communities must be able to do exactly the kind of open engineering, analysis, and exchange of tools and sharing of partial results that could be prohibited under §1201(g), simply because someone, somewhere, happens to be using similar technology for copyright protection.

The Senate Judiciary Committee's Report on the DMCA repudiates such a broad reading of 1201(g):

[T]esting of an encryption algorithm or program that has multiple uses, including a use as a technical protection measure for copyrighted works, would not fall within the prohibition of section 1201(a) when that testing is performed on the encryption when it is in a form not implemented as a technical protection measure.

[S. Rept. 105-190, p. 15]

Furthermore, it is not evident what advantage the copyright holder gains by such a notice requirement, except the general ability to discourage research, since there is no requirement that permission actually be obtained. The disadvantages to legitimate research of complying with the requirement, however, are quite serious.

In particular, it puts researchers and their companies at a significant competitive disadvantage to have to disclose their plans to others prior to proceeding on a course of research. Encryption research by its very nature is an adversarial process. It is also essential for cryptographers to be able to advance the science by attempting to find vulnerabilities in encryption as that encryption is actually applied. In many cases, a researcher will look at many systems as part of a plan to try to create an improved system, something one would very much want and expect to keep secret, for obvious commercial and intellectual property reasons. However, under the Act, a researcher would be required to at least make a "good faith effort" to notify parties who may be potential industry competitors, rival intellectual property claimants, or hostile security officers before he or she even began the research.

The chilling effect on research and innovation should be obvious and of great concern. In many cases, the content owner is unlikely to authorize this research even if he has no competitive interest in the field. Most content owners have no particular interest in the advancement of the field, particularly if it involves finding weaknesses in a system on which he is relying to protect copies of a work that he is distributing broadly for a fee. Even if the content owner were inclined to grant approval for the research, the research process would inevitably be retarded as the general counsels of universities and encryption firms would prohibit researchers from proceeding until all necessary authorizations had been received in writing.

Members of CCIA are extremely concerned about this provision and troubled by the potential harm a strict application of the DMCA's language could have on the field of encryption research and the development of secure security systems based on encryption. We believe this research and study is essential to the further advancement of electronic commerce and secure digital networks, and hope that the Administration and Congress will take steps to ensure that such activity is protected.

Respectfully Submitted,

Jason M. Mahler
Vice President and General Counsel
Computer & Communications Industry Association
<jmahler@ccianet.org>
 

CCIA Members:
Amdahl Corporation
AT&T Corporation
Bell Atlantic Corporation
Block Financial Corporation
CAI/SISCo
Commercial Data Servers, Inc.
CommonRoad Corporation
Datum, Inc.
Entegrity Solutions Corporation
Fujitsu Limited
Giga Information Group
Government Sales Consultants, Inc.
Hitachi Data Systems, Inc.
Intuit, Inc.
Leasing Solutions, Inc.
MERANT
Netscape Communications Corporation
NOKIA, Inc.
Nortel Networks
NTT America, Inc.
Okidata
Oracle Corporation
RedCreek Communications, Inc.
SBC Communications, Inc.
Sun Microsystems, Inc.
Telesciences, Inc.
Sabre Inc.
TSI International Software, Ltd.
VeriSign, Inc.
Viatel, Inc.
ViON Corporation
V-SPAN, Inc.
Yahoo! Inc.

*****

Time Warner Inc.
75 Rockefeller Plaza
New York, NY 10019



July 28, 1999

Paula J. Bruening, Esq.
Office of Chief Counsel
National Telecommunications
and Information Administration
Room 4713
US Department of Commerce
14 Street and Constitution Avenue NW
Washington, DC 20230

Jesse M. Feder
Office of Policy and International Affairs
US Copyright Office
Copyright GC/I & R
P.O. Box 70400
Southwest Station
Washington, DC 20024

Re: Section 1201 (g) of the Digital Millenium Copyright Act
(Docket No. 990428110-9110-01)

Dear Ms. Bruening and Mr. Feder,

I am grateful for the opportunity of submitting comments on behalf of Time Warner Inc. in response to the request for comments announced in the Federal Register Volume 64 No. 102.

Time Warner Inc is, as you know, one of the leading companies engaged in the production and distribution of copyrighted works including motion pictures and phonorecords. As such, it is vitally interested in adequate and effective protection of copyrights. In that connection, Time Warner devotes significant resources to fighting unauthorized uses of its copyrighted works in the United States and abroad.

Time Warner employs encryption technology in order to protect its audiovisual products from unauthorized uses and devotes significant resources to the development and implementation of protective technologies for its audio and audiovisual works. The Request for Comments seeks information with respect to, inter alia, the effects of Section 1201 (g) of the Digital Millenium Copyright Act on "protection of copyright owners against unauthorized access to their encrypted copyrighted works."

Section 1201 (g) which is headed "Permissible Acts of Encryption Research" provides that it is not a violation of Section 1201 (a) (1) (A) (which prohibits circumvention of technological measures that control access to protected works) for a person to circumvent a technological measure "in the course of an act of good faith encryption research" if certain criteria are met.

Among the criteria are (i) that such act is necessary to conduct such encryption research (Section 1201 (g) (2) (B)) and (ii) the researcher made a good faith effort to obtain authorization before the circumvention (Section 1201 (g) (2) (C)).

These provisions have the laudable purpose of supporting research into encryption and thus encouraging discovery of weaknesses in encryption systems that would render them ineffective as protectors of copyright. There are, however, threats to copyright protection that are apparent on the face of the provisions in question.

It is far too early (less than nine months after passage of the Digital Millenium Copyright Act) to have accumulated any hard evidence of the impact of Section 1201 (g) on protection of copyrights. Nevertheless, there has been sufficient history both prior to and since passage of the Act to warrant expressing a few cautions and some suggestions in connection therewith about the serious impact on copyright owners of misuse of "research" that could be encouraged by Section 1201 (g).

Where a copyright protection technology has been overcome, i.e. the encryption code broken, the "research" that led to that was not done by the iconic individual in his/her garage but, rather, by groups of persons having access to large computers in business or academic locations. Such research, more often than not, was not at the request or with the authorization of the owner of the encryption system or an authorized user thereof, and the motives for undertaking such "research" varied from scientific to pernicious.

Whatever the motives, because the "research" is not conducted by an isolated individual, word quickly gets around about how to break a particular encryption system.

When so-called "pirate smart cards" or similar devices are marketed, the advertising for them typically includes a disclaimer "for research only" - with much the same veracity as radar detectors for automobiles are advertised as "not intended to encourage speeding."

What is needed in order to protect against "research" that has these damaging results are measures to assure that those who do the research are doing so for legitimate reasons and meet the criteria set forth in Section 1201 (g) (2) (A) -(D). Some factors to be used in determining whether a person qualifies for the exemption are set forth in Section 1201 (g) (3) but there are a few serious weaknesses in the regime so established which should be dealt with by an amendment or clarified by regulation.

Perhaps the most important requirement as a basis for exemption is that the person doing the research do so with actual written authorization of the owner of the encryption system. There is no reason to suppose that owners of encryption systems would be unwilling to authorize legitimate researchers to test for weaknesses in the encryption systems. Leaving the criterion, however, at merely making "a good faith effort to obtain authorization" (Section 1201 (a) (2) (C)) could allow for illy motivated "researchers" to meet this qualification by sending off (or even claiming to send off) a letter, a fax or an e-mail which does not reach its destination. On the other side of this coin, such a requirement would impose on the owner of the encryption system a burden of attending to its mail, fax and e-mail communications with more speed than it may be able to muster.

Secondly, in this same context, the statute does not tell us what happens if a researcher does make "a good faith effort to obtain authorization" and the owner of the technology turns down the request. As suggested above, many of these problems could be resolved if actual written authorization were required.

Among the safeguards that would flow from a requirement for actual written authorization is the possibility that the owner of the technology might require, as a condition of granting authorization, that the researcher agree not to disclose any facts about the technology or about the results of the research. In the absence of such a non-disclosure agreement, the ability to break an encryption system becomes, as suggested above, widely known. Such a non-disclosure provision should be considered a reasonable condition of a grant of authorization.

Thank you for your consideration of these comments. My colleagues and I at Time Warner Inc. would be happy to meet with you to discuss these issues at your convenience.

Respectfully yours,

Bernard R. Sorkin
Senior Counsel

*****

National Telecommunications and Information Administration
US Department of Commerce
US Copyright Office, Library of Congress

Dear Sir or Madam:

I am writing in response to your request for comments on section 1201(g) of the Digital Millennium Copyright Act.

I am a cryptographer and cryptographic engineer working in the industry on the design of cryptographic systems, including systems for information privacy and protecting intellectual property. I testified to Congress during the hearings on the DMCA on behalf of the industry. Consequently, I feel both qualified and obligated to respond to this RFC, as I participated in the creation of the DMCA.

The DMCA affects cryptographic research in a number of ways.

The DMCA directly affects cryptographic research because it makes "circumvention" an offense that is independent of infringement. It is my belief that the best thing that could be done to aid cryptographic research is to tie the circumvention to infringement, making it a form of aggravated infringement, similar to the way that other crimes can be aggravated by circumstance. I don't know of a single colleague of mine who would object to circumvention and infringement being a more serious crime than infringement alone. No one does real research that involves infringement. Changing this in the DMCA helps cryptographic research most. I must also point out other sections surrounding 1201(g) could also be removed; there would be no need for sections 1201(d), 1201(e), 1201(f), 1201(h), 1201(i), or 1201(j). All of these sections cover exemptions to circumvention that would not be needed if circumvention were an aggravation, not a separate offense.

In 1201(g), there are a few concerns about the exemption given that we have. They are in sections 1201(g)(2)(C) (obtaining permission), 1201(g)(3)(A) and (C) (disseminating information and notifying the work owner), and 1201(g)(3)(B) (whether someone is a legitimate researcher).

During the time the DMCA was being written, the main concern that the copyright-holders had would be that some infringer -- particularly a large-scale one -- would use "research" as an excuse when caught. While we can understand these fears, these remedies are not likely to work, they're more likely to stifle research.

An interesting aspect of today's research is that relative unknowns do some of the most important new work. The smart card vulnerabilities I described above were the first published research of some of the people who worked on it. Beyond that, some of the finest research today comes from groups of researchers who give themselves absurd or outlawish names such as "l0pht" (pronounced "loft") or "The Cult of the Dead Cow." These researchers are typically young, brash, have chips on their shoulders, are contemptuous of the authorities that created these security systems (often that contempt is well-placed), and have pop-culture attitudes that one typically associates with a rock-and-roll band. Perhaps most interestingly, they have an ironic attitude. Unlike published announcements from university or industry researchers which try to explain how smart the researchers are, these independent groups publish their results with a tone that emphasizes how stupid the researchers who created the broken system are. Make no mistake about it though, these young people with black t-shirts who like to call themselves "hackers" are nonetheless their generation's best and brightest when it comes to security research. This is relevant to 1201(g)(3)(B) because cryptographers often earn their stripes on their own, not under the tutelage of industry or universities. The problem with 1201(g)(3)(B) is that it is essentially a law against self-study. I know there are bad people in the world, people who infringe and threaten the copyright-holders, but this doesn't help the problem. It merely brings up new questions. What is a legitimate course of study? I believe that the real proof is whether or not they are infringing. If they're not infringing, this shouldn't be a problem. The true problem arises because circumvention is not tied to infringement.

The other sections are all parts of a common concern that is related to the above. They are part of an attempt to identify what legitimate research is, as opposed to a pirate mill. Again, they don't want to walk into a warehouse filled full of pirated movies (for example) and hear the excuse, "But I was only doing research." It's my opinion that this goes back to the tie between infringement and circumvention. The problem here is the warehouse full of pirated movies. The circumvention merely aggravates that offense.

These three sections I am concerned with cover obtaining permission, notifying the copyright-owner, and publishing the results. All of these sections are incredibly vague, for one thing. What constitutes a "good faith effort to obtain authorization"? And what if my good fail effort ends up with the copyright holder saying, "no"? (Which I will add, they would be daft to do otherwise! Who in their right mind would say, "I give you permission to hack me"?) I do note that the section does not require the researcher to obtain permission, merely to make a good faith effort to get it. But if you know that the answer to a question is going to be no, why bother asking?

Similarly, what is one to do after obtaining results? Who do you tell? What happens after you have told them, particularly if they have told you they don't want you to do research? It sounds to me like it's an invitation to be sued or charged with a crime. This is all very vague, and simply seems designed to stifle research.

The last section I question is disseminating information. What is an appropriate way to do it? Is it appropriate to publish in a scholarly journal? If so, what is a scholarly journals are acceptable, and which are not? What if they find it interesting, not so interesting that they want to publish it? Is a non-refereed journal acceptable? How about the front page of the New York Times? What about on my own web site? Unfortunately, 1201(g)(3) gives no guidance. It's impossibly vague.

Let me give an interesting real-world instance that happened earlier this year.

A movie studio (interestingly, one intimately involved in producing the DMCA) hired a colleague of mine to test a form of cryptographic protection that a vendor wanted to sell to them. My colleague found flaws in the system, and the movie studio declined to use it. I do not know if the studio asked permission to test it, or informed the vendor of their results, but should they have had to? I don't believe they should have to. (Mind you, it is certainly courteous to ask permission, and courteous to inform the provider. But I don't think it is wise to legislate courtesy.) Consumers Union doesn't have to ask permission to test a product. Nor do other organizations that test products. A customer does not have to ask a vendor to verify their claims. The DMCA should not be a law that protects snake-oil salesmen.

Unfortunately, those sections of 1201(g) are something that a creator of protection mechanisms that don't work can use as a club to silence those who would test it. They are also something that a legitimate researcher should ot have to go through. These sections of 1201(g) do nothing more than hamper research, through their unreasonable requirements and vagueness. I see two ways to fix this problem, to strike them, or to tie circumvention with nfringement.

Thank you for the opportunity to contribute.

/s/ Jonathan D. Callas
jon@callas.org
 
 

*****

Before the

NATIONAL TELECOMMUNICATIONS AND
INFORMATION ADMINISTRATION OF THE
UNITED STATES DEPARTMENT OF COMMERCE AND

THE UNITED STATES COPYRIGHT OFFICE
LIBRARY OF CONGRESS

Washington, D.C.



In The Matter Of )
)
Request for Comments on ) Docket No. 990428110-9110-01
Section 1201(g) of the Digital Millennium )
Copyright Act of 1998 )
)
 
 

INITIAL COMMENTS OF BROADCAST MUSIC, INC.

On May 26, 1999, the National Telecommunications and Information Administration, United States Department of Commerce ("NTIA") and the United States Copyright Office, Library of Congress ("Copyright Office), acting pursuant to Section 1201(g) of the Digital Millennium Copyright Act of 1998 (the "DMCA" or "Act"), issued a request for public comment on certain issues concerning the role of technology in protecting the transmission of copyrighted works on the Internet. 64 Fed. Reg. 28802 (the "Notice"). The Copyright Office and the NTIA are directed by the Act to prepare a report specifically examining the impact of Section 1201(g) of the Act on encryption research no later than one year after enactment of the DMCA (that is, on or before October 28, 1999).

As explained in the Notice:

The objective of Title I of the [DMCA] was to revise U.S. copyright law to comply with two recent World Intellectual Property Organization (WIPO) Treaties and to strengthen copyright protection for motion pictures, sound recordings, computer software and other copyrighted works in electronic formats. The DMCA establishes a prohibition on the act of circumventing technological measures that effectively control access to a copyrighted work protected under the U.S. Copyright Act. The prohibition, found in Section 1201 of Title 17, U.S. Code, takes effect October 28, 2000."

Notice at 28803. The Notice further states that comments are requested specifically on the exemption from this prohibition contained in Section 1201(g) for "encryption research". In addition, the Notice also broadly requests comments on "the adequacy and effectiveness of technological measures designed to protect copyrighted works. . . ." Id.

Broadcast Music, Inc. (BMI) is a United States music performing rights organization ("PRO"), representing a repertoire of approximately three million musical works by over 200,000 affiliated songwriters, composers and music publishers as well as by thousands of foreign songwriters affiliated with over 60 sister PROs around the world. BMI licenses its repertoire to music users in a wide variety of fields, including broadcast television and radio stations, restaurants, stores, concerts, musical attractions, the Internet, cable television networks and systems, background music services and numerous other classes of music users.

While BMI is not engaged in encryption research, BMI is nevertheless very involved in inter-industry efforts to create technological solutions to protect copyrighted works from piracy on the Internet and in other digital electronic formats. Therefore, BMI has an interest in this Notice in order to ensure that the rights of music songwriters, composers and publishers are safeguarded as these technologies develop. Moreover, the Berne Convention for the Protection of Literacy and Artistic Works, to which the WIPO treaties and the DMCA are firmly moored, is based on the need to promote authorship and to protect intellectual property.

During the past five years, BMI has been at the forefront of the digital revolution and the protection of intellectual property. BMI's President and CEO, Frances W. Preston, was a member of the Administration's task force known as the National Information Infrastructure Advisory Committee, which consisted of leading players in the entertainment, communications and information technology industries. BMI representatives participated in negotiations leading up to the WIPO treaty process that culminated in late 1996 in the adoption of two WIPO treaties. BMI also negotiated with a wide spectrum of copyright owners and users to create consensus legislation leading to the enactment of the DMCA, including complex negotiations concerning the scope of the prohibition on circumventing technological measures that effectively control access to copyrighted works.

BMI recently announced a strategic two-year initiative called "The Horizon Project," the aim of which is to incorporate the advantages of digital technologies in numerous ways to improve the speed and efficiency of performing rights licensing and royalty distribution. It is the intention of this project to enable BMI to streamline licensing for the benefit of users and to improve both the speed and accuracy of royalty distributions to BMI's affiliated songwriters, composers and music publishers.

BMI is a participant in the inter-industry standards setting effort called the Secure Digital Music Initiative (SDMI), created and led by members of the sound recording industry through its principal trade association, the Recording Industry Association of America. The goal of the SDMI has been to create technological standards to stem the flood of unauthorized digital transmissions of music being witnessed today. BMI believes that any such technological standards for adoption of copyright management information and encryption should accommodate the needs of all copyright owners in the music field. For example, standards should not be adopted that incorporate protection and/or licensing measures addressing information about only one group of copyright owners while omitting pertinent information about other groups of copyright owners. With regard to audiovisual works, BMI is aware of the negotiations currently underway between the motion picture industry, through its principal trade association the Motion Picture Association of America, and the consumer electronics manufacturers and cable system operators about copy protection standards for digital set-top boxes.

BMI is following both of these standard setting processes in an attempt to ensure that they facilitate the efforts of copyright owners of the public performing right to license digital transmissions of their work on the Internet and digital television and to protect owners against unauthorized access to their works. While BMI supports the exemption currently contained in the DMCA for "encryption research," any such exemption should be narrowly construed so that loopholes in the law are not created to make licensing impractical. For example, the Copyright Office and NTIA should pay careful attention to downstream activities that occur after files are decrypted or descrambled.

BMI plans to review the comments filed by others and to reply as appropriate to issues affecting the licensing of public performing rights to music.
 

Respectfully submitted,

BROADCAST MUSIC, INC.

_______________________Marvin L. Berenson
Joseph J. DiMona
Broadcast Music, Inc.
320 West 57th Street
New York, NY 10019
(212) 830-2533 (Phone)
(212) 397-0789 (Fax)



1. 1 It is well established that the First Amendment protects individuals from civil or criminal liability for the dissemination of information that could theoretically be used for an illegal purpose. It is only where speech is likely to incite "imminent lawless action," and is in fact intended to do so, that First Amendment protections do not apply. See, e.g., Brandenburg v. Ohio, 395 U.S. 444, 447 (1969). With one well-publicized exception, courts have never found that the mere publication of information that could facilitate the commission of a crime satisfies this standard. See Rice v. Paladin Enterprises, Inc., 128 F.3d 233 (4th Cir. 1997) (publisher liable for murders facilitated by hit-man "how-to" manual, where manual was clearly intended for use by potential murderers). Plainly, then, the dissemination of information relating to the vulnerabilities of a cryptographic implementation is protected by the First Amendment. Congress seems to have recognized this fact in Section 1201(c)(4) of the DMCA, which states that "Nothing in this section shall enlarge or diminish any rights of free speech or the press for activities using consumer electronics, telecommunications, or computing products."