Copyright law chills IT security research

Computerworld - Washington

A cloud of fear and uncertainty hung over the 10th annual Usenix Security Symposium here last week, as IT researchers wondered nervously whether they would be hauled off to jail by the FBI for revealing security flaws in an antipiracy technology backed by the music industry.

That didn't happen, but new charges of government censorship are being levied by critics of a 1998 law designed to protect copyrighted digital material, such as software, from unauthorized access and copying (see story). If the law isn't changed, legitimate scientists and corporate IT workers conducting research to improve computer and network security could be sent to jail, legal experts said.

The team of IT researchers, headed by Edward Felten, a professor at Princeton University, and flanked by lawyers from the San Francisco-based Electronic Frontier Foundation (EFF), originally planned to present the paper at a conference in April. But they backpedaled after the Recording Industry Association of America (RIAA) threatened to sue.

Felten took the RIAA to court in June, and the association eventually retracted its legal threats and gave Felten permission to present and publish his paper only at the Usenix symposium.

The paper, titled, "Reading Between the Lines: Lessons from the SDMI Challenge," makes public several inherent security flaws in a technology developed to prevent unauthorized copying of digital music files. Felten and others conducted the research last September while taking part in a security contest sponsored by a consortium of recording companies known as the Secure Digital Music Initiative (SDMI).

Despite what Felten and others called "a partial victory" for science and the First Amendment rights of legitimate researchers, the overly broad nature of the 1998 Digital Millennium Copyright Act (DMCA) threatens to stifle future IT research, according to legal experts.

"The DMCA set up a system where, essentially, the government outsourced censorship of science," said Cindy Cohn, the EFF's legal director. The EFF is representing Felten, as well as Dmitry Sklyarov, a Russian programmer arrested on July 16 in Las Vegas for allegedly developing a software program that unlocks the encryption used to protect the copyrights of electronic-book publishers.

Other scholars "have been chilled" by what happened to Felten, and foreign cryptographers are afraid to travel to the U.S., said Cohn.

A Matter of Scope

Enacted in 1998, the DMCA broadly outlines restrictions on the distribution or sale of any product, service or technology that circumvents access protections to copyrighted material. Although the law provides exemptions for law enforcement officials as well as encryption and security researchers, legal experts said it's unclear how far the law extends and whether corporate IT workers conducting integration work could be caught in its web.