TOWARDS MORE SENSIBLE ANTICIRCUMVENTION REGULATIONS Pamela Samuelson UC
TOWARDS MORE SENSIBLE ANTI-CIRCUMVENTION REGULATIONS Pamela Samuelson, UC Berkeley, Financial Cryptography ’ 00 February 21, 2000 2/21/00 Financial Cryptography '00 1
OVERVIEW OF TALK • Origins of new legal regulations concerning circumvention of technical protection systems • Overview of act-of-circumvention and antidevice rules • Why these rules are troublesome • Possible paths to rectifying the problems 2/21/00 Financial Cryptography '00 2
CIRCUMVENTION IN CONTEXT • Before a group of cryptographers, it is wise to recognize that this community regards circumventing TPS and making tools to circumvent TPS as natural and good (can’t improve security without trying to break it) • But now that other industries are using encryption, they have different perspectives • Hollywood, in particular, likens circumvention to “breaking & entering, ” and software to do this as “burglars’ tools” 2/21/00 Financial Cryptography '00 3
WHY ANTICIRCUMVENTION REGS? • U. S. “White Paper” on Intellectual Property & the NII (1995) (its author = former copyright lobbyist) • Proposed to outlaw tools (sw or hw) whose “primary purpose or effect” was to bypass TPS used by copyright owners to protect their works • Nearly identical provision proposed for international treaty • Copyright industries were strong supporters of Clinton; stronger copyright laws as quid pro quo 2/21/00 Financial Cryptography '00 4
MORE ON WHY • White Paper anticipated global market for digital copyrighted works • TPS to overcome vulnerability to “piracy” • Need for legal reinforcement for TPS to outlaw circumvention/piracy-enabling tools • “Not unprecedented” (DAT law, satellite broadcasting “black-box” decoders) 2/21/00 Financial Cryptography '00 5
DEVELOPMENTS IN ‘ 95 -’ 96 • WP legislation was highly controversial • Anti-circumvention only 1 of several problems (most attention to ISP liability) • Equipment mfrs: unfair to hold responsible for what users do; can’t respond to all TPS; need for exceptions • So broad, NSA could have been shut down (because they make tools to circumvent TPS & virtually all content “sniffed” is copyrighted) 2/21/00 Financial Cryptography '00 6
WIPO DEVELOPMENTS • Diplomatic conference at the World Intellectual Property Organization in Geneva in Dec. 1996 • Draft treaty contained variant on US a/c proposal • A/c provision was highly controversial: worries about effect on public domain, fair use, technological development • Compromise in final treaties: “adequate” protection and “effective” remedies vs. circumvention of TPS 2/21/00 Financial Cryptography '00 7
POST-WIPO EVENTS • Post-WIPO clash of titans over ISP liability: Hollywood v. telcos/ISPs • Compromise on ISP issue (“safe harbors”) broke logjam in March 1998 • Political capital largely spent on ISP issue • Some compromise as to anti-circumvention regs in DMCA, but not as to tools provision • US pushing other countries to adopt its rules 2/21/00 Financial Cryptography '00 8
ACT-OF-CIRCUMVENTION • Treaty so vague that legislation not needed in US, but even if so, only as to circumvention • Campbell-Boucher bill: proposed to outlaw circumvention of TPS to enable copyright infringement • MPAA: wanted all circumvention outlawed • Compromise in DMCA: illegal to circumvent access control, 17 U. S. C. s. 1201(a)(1) • 2 year moratorium; LOC study; 7 exceptions 2/21/00 Financial Cryptography '00 9
EXCEPTIONS TO 1201(a)(1) • Legitimate law enforcement & national security purposes • Reverse engineering for interoperability • Encryption research and computer security testing • Privacy protection & parental control • Nonprofit “shopping privilege” 2/21/00 Financial Cryptography '00 10
ANTI-DEVICE PROVISIONS • Illegal to “manufacture, import, offer to public, provide or otherwise traffic” in • Any “technology, product, service, device, [or] component” • If primarily designed or produced to circumvent TPS, if only limited commercial purpose other than to circumvent TPS, or if marketed for circumvention uses 2/21/00 Financial Cryptography '00 11
MORE ON DEVICE RULES • 1201(a)(2)--devices to circumvent effective access controls • 1201(b)(1)--devices to circumvent effective controls protecting right of cop. owners • Actual & statutory damages + injunctions • Felony provisions if willful & for profit • MPAA v. Reimerdes 1 st civil case 2/21/00 Financial Cryptography '00 12
MPAA v. REIMERDES • Injunction vs. posting of De. CSS on websites or otherwise making it available • CSS is effective access control for DVDs • De. CSS circumvents it & has no other commercially significant purpose • Lack of evidence for Linux compatibility argument • Besides, 1201(f) only protects interoperation with programs, not “data” on DVD 2/21/00 Financial Cryptography '00 13
DVD-CCA v. Mc. LAUGHLIN • Trade secret misappropriation case • Not just vs. posting, but also vs. linking • CSS = proprietary information; DVD-CCA took reasonable steps to maintain secret • Inference: someone must have violated clickwrap license forbidding reverse engineering • Even though De. CSS on web for 4 months, not to enjoin would encourage posting TS on Web • Judge upset by “boasting” about disrespect for law 2/21/00 Financial Cryptography '00 14
IMPLICATIONS OF DVD-CCA • Anti-reverse engineering clauses are common in software licenses; enforcement worrisome • Willingness to enforce and treat information obtained through reverse engineering as trade secret also worrisome • Willingness to enjoin information that has been public for several months may be error • “Fruit of poisonous tree” rationale (judge knows Johansen didn’t reverse engineer, nor did many posters, yet held as trade secret misappropriators) 2/21/00 Financial Cryptography '00 15
CURIOUS THINGS ABOUT 1201 • Only 3 exceptions to 1201(a)(1) explicitly allow building tools • Only interoperability exception limits both anti-device rules • Did Congress mean to allow circumvention to make fair use, yet make it illegal to make tools needed to accomplish? (Ha! Ha!) • LOC to study only act, not device rules 2/21/00 Financial Cryptography '00 16
PROBLEMS WITH A/C REGS • Legitimate purpose circumventions – existing exceptions overly narrow – need for general purpose exception – clarify that fair use circumvention is OK • “Dual use” technologies – tools to enable legitimate uses – how device rules could be narrowed • Copyright-centric regulations 2/21/00 Financial Cryptography '00 17
EXCEPTIONS TOO NARROW • Interoperability: not just programs; other reverse engineering may be legitimate • Encryption and computer security research: – no authorization and expert requirements – OK to make tools – less onerous rules on disseminating results • Privacy exception: Windows 2000 hypothetical (see BTLJ paper) 2/21/00 Financial Cryptography '00 18
A GENERAL PURPOSE EXCEPTION? • Need for “or other legitimate purpose” exception to access control rule • Examples of other legitimate acts: – if reasonable grounds to believe infringing copy or computer virus inside TPS – illegitimate invocation of “technical self-help” • Courts able to tell difference between legitimate & illegitimate acts 2/21/00 Financial Cryptography '00 19
DUAL USE TECHNOLOGIES • Circumvention tools are not burglars’ tools • Ways to narrow rules: – substantial noninfringing use standard – intent/knowledge/injury/infringement requirement – commercially significant cf. apparent legitimate purpose (freeware should not be vulnerable) – technology-specific (e. g. , circumvention of SCMS) • Think through relation between range of legitimate circumventions and availability of tools (if X is lawful, tool to do X should be OK) 2/21/00 Financial Cryptography '00 20
COPYRIGHT-CENTRICITY • Encryption protects more than commercial copyrighted products (e. g. , private personal communications, trade secret/confidential business information, e-cash) • Circumvention of encrypted information is a more general problem (sometimes legitimate, sometimes not) • So is the availability of circumvention technology • Would suggest the need for a general law 2/21/00 Financial Cryptography '00 21
UNINTENDED CONSEQUENCES? • Copyright law protects “original works of authorship” from moment of 1 st fixation • Private email is copyrighted, so are business documents • If encrypt to control access, circumvention would be illegal under 1201(a)(1), even if legitimate reason (e. g. , employer has reason to believe contents are pornographic) • Less clear 1201(a)(1) applies to e-cash (although circumvention a problem here too) 2/21/00 Financial Cryptography '00 22
UNINTENDED CONSEQUENCES? • X makes software that circumvents Y’s encryption system • Z is a copyright owner who decides to use Y’s encryption system to protect digital pictures • Does X’s tool then become illegal? • Can Y sue X? Can Z sue X? What harm has X’s software done to Y or Z? • 1201 (a)(2) and (b)(1) does not require any underlying infringement; mere potential is enough 2/21/00 Financial Cryptography '00 23
WAYS TO CHANGE RULES • Common law interpretation (some judges will stretch existing exceptions) • Legislative amendments to 1201 – broaden encryption/computer security exceptions – general purpose exception – narrow tools provision • Broadened LOC studies/rulemaking 2/21/00 Financial Cryptography '00 24
LIBRARY OF CONGRESS STUDY • Main focus: consider impact of act-ofcircumvention rules on fair use and other noninfringing uses • LOC can issue rules exempting works or user groups from act-of-circumvention rules • Need for study of impact of anti-device rules because overbroad and contradictory to other aspects of 1201 • Potential for deleterious consequences (e. g. , “strike suits” & “chilling effects”) 2/21/00 Financial Cryptography '00 25
CONCLUSION • Copyright industries intend to exercise substantial control over encryption policy • They may have a myopic perspective (but they think cryptographers are myopic) • Good news is that encryption research/computer security testing is exempt in US (but not in EU) • Bad news is that the US is promoting overbroad anti-device rules outside US • 1201 unlikely to be repealed, but could be better & you can help make it so 2/21/00 Financial Cryptography '00 26
- Slides: 26