X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The anti-circumvention provision of the 1998 Digital Millennium Copyright Act has been widely attacked. The law prohibits the circumvention of copy-protection technologies and the dissemination of information concerning how to defeat those technologies. Critics contend that the law has been misused to stifle competition and has upset the historical balance between copyright interests and access to information. One of the areas that commentators seldom address is cybersecurity. Although the anti-circumvention provision seems necessary to keep hackers away from copyrighted content, it has a deleterious effect on the development of cryptology and computer security. Consider the Princeton University computer science graduate student who broke the copy-protection technology made by SunnComm and used in BMG’s CDs. Last year the student posted a paper on his Web site explaining how to disarm SunnComm’s technology by pushing the shift key when loading a CD into a computer. The company reacted by threatening to sue the student under the DMCA, claiming that the student’s revelation of this obvious and well-documented limitation had cost the company millions of dollars. SunnComm eventually dropped the suit. Courts should discourage such legal action. This type of suit will create a significant chilling effect among scholars and researchers, who thus far have played a major role in developing secure computer systems. Usually a researcher proposes a new technology that the researcher claims to be secure. Others then take the challenge, trying to find its security vulnerabilities. Once vulnerabilities have been discovered, the original developer provides an upgrade. And the cycle will repeat itself. By the time the product is released, virtually all serious flaws will have been discovered or removed. Today, these cycles of testing and upgrading have been drastically reduced. Under the DMCA, security testing is limited to only those who made a good-faith effort to obtain authorization from the rightholder. The pool of security testers has been significantly circumscribed and is arguably different from the diverse group of hackers and crackers a secure system would face in real-life situations. The products therefore might not be as robust and sufficiently tested as they could be. Moreover, academic researchers might hesitate to publish information that could spark new ideas about computer designs and security systems. Many encryption researchers are so concerned about DMCA liability that they have withdrawn or declined to publish their research results. For example, a Dutch cryptographer, Niels Ferguson, refused to publish his research findings on Intel Corporation’s video-encryption system. Likewise, some professional associations have relocated their conferences outside the U.S. to alleviate the concerns of their participants. Some publishers of scientific journals have even considered indemnifying authors for DMCA liability, making publication of academic research in the area a financially risky venture. Amateurs are equally affected. Oftentimes, they find bugs, loopholes and glitches by accident. Although the DMCA includes exceptions for encryption research, reverse engineering and security testing, these exceptions are narrowly defined and often unavailable to these “accidental finders.” Even worse, these “discoveries” might never make it to the public, because security experts tend to ignore amateur findings while businesses have very limited incentives to voluntarily disclose technical flaws in their products (and worse, limited motivations to fix them if the flaws are not disclosed). Thus, by asking businesses to serve as gatekeepers, the DMCA hurts the public by encouraging corporate secrecy and nondisclosure of security flaws. Software vendors might encourage you to report technical flaws, but there is no guarantee that they will fix the flaw in a short period of time. Theoretically, researchers and accidental finders could announce their “discoveries” publicly via Web sites, electronic bulletin boards and chat rooms. However, the DMCA prevents them from disclosing any further details, in particular how they successfully hacked into the system. The only thing these individuals could do is to identify the security flaw and make some vague statements about it. Without the details, the vendor could easily dismiss the break as either unreal or theoretical. Ultimately, consumers will have to trust the words of either the vendor or the circumventor based on unsubstantiated claims, rather than objective evaluations. They will have no ability to examine whether the vulnerability patch supplied by the vendor will actually fix the flaw. In effect, the DMCA “censors” valuable information that enables the public to make an informed judgment about the security of a particular product — or better, to protect themselves against security breaches of flawed products by taking remedial actions. In recent years, the open source and free software movements have gained momentum worldwide. It is too early to tell whether the DMCA will have any adverse impact on the development of these lines of nonproprietary software. When leading Linux developer Alan Cox released an update to version 2.2 of the Linux kernel three years ago, his company refused to disclose information about the security fixes in the software to U.S. citizens. Cox maintained that he could be exposed to legal liability and potential prosecution under the DMCA because some of Linux’s standard security features may be used for the digital rights management of copyrighted works. Some commentators and system administrators criticized Cox for overreaction and using the security information to make a political stand. Others suggested that the DMCA might actually help convince cryptologists and security specialists to switch to nonproprietary formats. Nevertheless, it is understandable why some open-source developers — especially those who do not have lawyers sitting beside them — would fear that such disclosure might indirectly encourage circumvention of other encryption technologies used by closed-source developers (and thus subject themselves to prosecution under the DMCA). After all, the DMCA carries with it both civil and criminal sanctions. The DMCA is a very complex statute. It is long, wordy, cumbersome, counterintuitive and internally inconsistent. Even sophisticated copyright lawyers have a difficult time understanding its reach and limitation, not to mention the general public. Until Congress and courts are able to clearly define such ambiguous phrases as “primarily designed or produced,” “effectively controls access” and “limited commercially significant purpose or use,” academic researchers, technology developers and the general public will remain confused and concerned. Since Sept. 11, the Bush administration and CEOs of major corporations have repeatedly emphasized the vulnerability of our critical infrastructure and information networks. Despite these heightened concerns, Congress has yet to take note of the DMCA’s impact on cybersecurity. Hopefully, Congress will soon understand the problem and provide an “upgrade.” Peter K. Yu is an assistant professor of law and the founding director of the Intellectual Property and Comminications Law program at Michigan State University-DCL College of Law.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.