[10219] in cryptography@c2.net mail archive
Re: password-cracking by journalists... (long, sorry)
daemon@ATHENA.MIT.EDU (Will Rodger)
Mon Jan 21 17:29:51 2002
Message-Id: <5.1.0.14.0.20020121161033.00a07360@netmail.home.net>
Date: Mon, 21 Jan 2002 17:16:08 -0500
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
Steve Bellovin <smb@research.att.com>, cryptography@wasabisystems.com
From: Will Rodger <wrodger@pobox.com>
In-Reply-To: <v04210100b86fabfe6c58@[192.168.0.2]>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
Arnold says:
>You can presumably write your own programs to decrypt your own files. But=
=20
>if you provide that service to someone else you could run afoul of the law=
=20
>as I read it. The DMCA prohibits trafficking in technology that can be=20
>used to circumvent technological protection measures. There is no language=
=20
>requiring proof than anyone's copyright was violated. Traffic for hire=20
>and it's a felony.
I think there's a good argument to the contrary.
The DMCA only bans trafficking in devices whose _primary_ purpose is=20
infringement. And it only applies to works "protected by this Title," that=
=20
is, Title 17, which is the collection of laws pertaining to copyright.
There was a very long, drawn out discussion of what would be banned and=20
what not before passage. It included all sorts of people traipsing up to=20
Capitol Hill to make sure that ordinary research and system maintenance,=20
among other things, would not be prosecuted. Bruce Schneier was among those=
=20
who talked to the committees and was satisfied, as I recall, that crypto=20
had dodged a bullet. I'm not saying that Bruce liked the bill, just that=20
this particular fear was lessened greatly, if not eliminated, by the=20
language that finally emerged.
>Now a prosecutor probably wouldn't pursue the case of a cryptographer who=
=20
>decoded messages on behalf of parents of some kid involved in drugs or sex=
=20
>abuse. But what if the cryptographer was told that and the data turned out=
=20
>to be someone else's? Or if the kid was e-mailing a counselor about abuse=
=20
>by his parents? Or the government really didn't like the cryptographer=20
>because of his political views?
It all gets down to knowingly doing something, right? If our cryptographer=
=20
acted in good faith, he wouldn't be prosecuted -- the person who set him up=
=20
would be.
>There is also the argument that Congress only intended to cover tools for=
=20
>breaking content protections schemes like CSS and never intended to cover=
=20
>general cryptanalysis. You might win with that argument in court (I=20
>think you should), but expect a 7 digit legal bill. And if you lose,=20
>we'll put up a "Free Will" web site.
No argument there!
>>>As for the legal situation before the DMCA, the Supreme Court issued a=
=20
>>>ruling last year in a case, Barniki v. Volper, of a journalist who=20
>>>broadcast a tape he received of an illegally intercepted cell phone=20
>>>conversation between two labor organizers. The court ruled that the=20
>>>broadcast was permissible.
>>
>>The journalist received the information from a source gratis. That's=20
>>different from paying for stolen goods, hiring someone to eavesdrop, or=20
>>breaking the law yourself. The First Amendment covers a lot, in this case.
>
>Correct. The Barniki opinion pointed out that the journalists were not=20
>responsible for the interception. But journalists receive purloined data=
=20
>from whistle-blowers all the time. Suppose in the future it was one of=20
>those e-mail messages with a cryptographically enforced expiration date? A=
=20
>journalist who broke that system might be sued under DMCA. That=20
>possibility might not frighten the WSJ, but what about smaller news=20
>organizations?
Fair enough. But what would the damages under copyright law be? They=20
generally correspond to a harm in the market for a certain kind of=20
information. I don't see a value for a single email on the open market=20
except as a trade secret, say. But then you're back into First Amendment=20
territory, as well as the vagaries of state trade-secret laws (There's no=20
such thing in federal law). One of the failings of the federal law is that=
=20
it does give unethical people room to tie up the courts. Nothing new=
there...
>>>So the stolen property argument you give might not hold. The change=20
>>>wrought by the DMCA is that it makes trafficking in the tools needed to=
=20
>>>get at encrypted data, regardless whether one has a right to (there is=20
>>>an exemption for law enforcement) unlawful.
>>
>>There's language governing that in the statute. Trafficking in tools=20
>>specifically designed to break a given form of copy protection is one=20
>>thing. The continued availability of legal tools for cryptanalysis and=20
>>legitimate password cracking is another. As bad as the DMCA is, it's not=
=20
>>_that_ bad.
Arnold replied:
>I've read the statute very carefully and I never found such language. (You=
=20
>can read my analysis at=20
>http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's certainly=20
>possible that I overlooked something. Perhaps you could cite the language=
=20
>you are referring to?
Sure.
In Section 1204, we see reference to "works protected by this title." The=20
DMCA as enacted is part of Title 17, which is specifically copyright laws.=
=20
Copyright law in the US gives a person access to his own work and also=20
allows for fair use _as defined by the courts_. Pro-consumer types failed=20
to get language reminding the reader that fair use still applied. Drafters=
=20
argued that would have been redundant. See ulterior motives here, if you=
want.
Anyway, the DMCA as enacted (with my emphasis in caps) says in Chapter 12,=
=20
Sec. 1204:
=91=91(2) No person shall manufacture, import, offer to the public, provide,=
or=20
otherwise traffic in any technology, product, service, device, component,=20
or part thereof, that=97
=91=91(A) is PRIMARILY designed or produced for the purpose of circumventing=
a=20
technological measure that effectively controls access to a work PROTECTED=
=20
UNDER THIS TITLE;
=91=91(B) has only limited commercially significant purpose or use other=
than=20
to circumvent a technological measure that effectively controls access to a=
=20
work protected under this title; or
=91=91(C) is marketed by that person or another acting in concert with that=
=20
person with that person=92s knowledge for use in circumventing a=20
technological measure that effectively controls access to a work protected=
=20
under this title."
All those references to works protected under this title do nothing to keep=
=20
you from getting at your own stuff. The rest of the language also tells you=
=20
if you want to use a copy of Crack to get to some of your own system files,=
=20
well, go ahead.
Now, you're probably thinking "ah hah! He didn't clear up the problems with=
=20
the 'primary purpose' stuff." But not quite. We have a right to use our=20
VCRs today because a court has already ruled that a VCR's primary purpose=20
is not piracy. So far, the courts have understood "primary purpose" to mean=
=20
"This purpose and pretty much no other." Can we quibble about this?=20
Absolutely. But I haven't heard anyone come up with a good way of saying=20
that your system maintenance tools are legitimate, except to say that they=
=20
are primarily _not_ for breaking in to others' machines. Still, who uses=20
sniffers more, sys admins or the bad guys? I bet the latter, on any given=
day.
All that said, one would still want some language making clear that what=20
researchers do is OK. The statute does it, more or less, through provisions=
=20
for research in Chapter 12, Sec. 1201:
=91=91(g) ENCRYPTION RESEARCH.=97
=91=91(1) DEFINITIONS.=97For purposes of this subsection=97
=91=91(A) the term =91encryption research=92 means activities necessary to=
identify=20
and analyze flaws and vulnerabilities of encryption technologies applied to=
=20
copyrighted works, if these activities are conducted to advance the state=20
of knowledge in the field of encryption technology or to assist in the=20
development of encryption products; and
=91=91(B) the term =91encryption technology=92 means the scrambling and=20
descrambling of information using mathematical formulas or algorithms.
=91=91(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.=97Notwithstanding the=20
provisions of subsection (a)(1)(A), it is not a violation of that=20
subsection for a person to circumvent a technological measure as applied to=
=20
a copy, phonorecord, performance, or display of a published work in the=20
course of an act of good faith encryption research if=97
=91=91(A) the person lawfully obtained the encrypted copy, phonorecord,=20
performance, or display of the published work;
=91=91(B) such act is necessary to conduct such encryption research;
=91=91(C) the person made a good faith effort to obtain authorization before=
=20
the circumvention; and
=91=91(D) such act does not constitute infringement under this title or a=20
violation of applicable law other than this section, including section 1030=
=20
of title 18 and those provisions of title 18 amended by the Computer Fraud=
=20
and Abuse Act of 1986.
=91=91(3) FACTORS IN DETERMINING EXEMPTION.=97In determining whether a=
person=20
qualifies for the exemption under paragraph (2), the factors to be=20
considered shall include=97
=91=91(A) whether the information derived from the encryption research was=
=20
disseminated, and if so, whether it was disseminated in a manner reasonably=
=20
calculated to advance the state of knowledge or development of encryption=20
technology, versus whether it was disseminated in a manner that facilitates=
=20
infringement under this title or a violation of applicable law other than=20
this section, including a violation of privacy or breach of security;
=91=91(B) whether the person is engaged in a legitimate course of study, is=
=20
employed, or is appropriately trained or experienced, in the field of=20
encryption technology; and
=91=91(C) whether the person provides the copyright owner of the work to=
which=20
the technological measure is applied with notice of the findings and=20
documentation of the research, and the time when such notice is provided.
=91=91(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES.=
=97Notwithstanding=20
the provisions of subsection (a)(2), it is not a violation of that=20
subsection for a person to=97
=91=91(A) develop and employ technological means to circumvent a=
technological=20
measure for the sole purpose of that person performing the acts of good=20
faith encryption research described in paragraph (2); and
=91=91(B) provide the technological means to another person with whom he or=
she=20
is working collaboratively for the purpose of conducting the acts of good=20
faith encryption research described in paragraph (2) or for the purpose of=
=20
having that other person verify his or her acts of good faith encryption=20
research described in paragraph (2)."
Note that all this leaves Ed Felten's recent work in the clear. It also=20
explains why the RIAA soiled its legal briefs when faced with _his_ lawyers=
=20
in court.
-------------------------
<Phew!>
OK. so that's my rap on why this law is bad but won't likely put anyone on=
=20
this list in jail. The biggest problem, I think, is not its prohibitions=20
but the legal cudgel it gives to certain people who would like to silence=20
others.
If this is the looming disaster many of us feared (I'm talking about stuff=
=20
much worse than the DeCSS cases here) it should have fallen on us by now.=20
The fact that it hasn't gives me hope. Maybe I'm just too naive!
Will
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
