From the Politch list, Aug 25, 2001
-----------------------------------
Subject: FC:
DMCA restricts police forensics tools, cryptanalysis research?
Date: Sat, 25 Aug 2001 18:41:56 -0400
From: Declan McCullagh <declan@well.com
To: politech@politechbot.com

The below message is from today's RISKS Digest 
(http://www.csl.sri.com/users/risko/risksinfo.html).

The DMCA (sec. 1201) says in part "no person shall manufacture, import,  offer to the public, provide, or otherwise traffic" in anything that "is  primarily designed or produced for the purpose of circumventing a  technological measure that effectively controls access to a work protected  under this title." Anyone care to speculate about whether that applies to  Fred's product? (http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2281.ENR:)

While the DMCA may well be an awful law, one thing I've never understood is  why many folks seem to think it bans publishing your research into security  flaws and so on. The RIAA/SDMI threats against Ed Felten & co were  spurious. There are two prongs to the DMCA: Don't bypass copy protection  schemes, and don't sell stuff that automates that process. Nowhere does the  law say "don't tell others what you learned." Even if circumventing (for  profit) is a felony, telling people how they could theoretically break the  law is generally legal, right?  (http://www.loompanics.com/Articles/HitManLawsuit.htm)

-Declan
 

:  Re: FC: DMCA restricts police forensics tools, cryptanalysis research? Date: Sun, 26 Aug 2001 01:28:11 -0300
From: pedro rezende
To: declan@well.com
References: 1

Declan McCullagh wrote:

[...]telling people how they could theoretically break the law is generally legal, right?

Dear Declan,

Unfortunately, your suggestion doesn't hold water.

Telling it, without testing if the "how to break" algorithm really works, can be a crime: "spreading false rumors intended to cause economic damage". On the other hand telling it, by having tested the "how to break" recipe before, is also a crime: a DMCA violation.

The problem here, Declan, is a flaw in the law's logic, giving DMCA an infinite imbalance, similar do an infinite loop in a program.

The law implicitly steers one and only one side, and always the same side, into a position of being able to validly assert whether or not a technological measure "effectively controls access to" something copyrightable. Thus, such steering gives this side, which happens to be the distributor/owner/producer of such "technological measure" who lobbied for the law, excessive (infinite) power. Why? Follow me: 

Any one else trying to reach a position of being able to assert, in court, whether or not a given technological measure "effectively controls access to" something, will be violating DMCA in case the something is copyrightable material and the answer is no. The violation occurs in the very act of asserting the answer, beyond reasonable doubt in the negative. And a negative answer will invariably contradict the standing of the side holding legal status to say anything about the matter, for the distributor/owner/producer of such a "technological measure" would never distribute/develop/produce its product without holding a public stance, in court, on the effectiveness of the claimed control effected by it: It would be a crime against the consumer!!! 

Such power, that of being able to glue legally unchallengeable labels on black boxes, is therefore an unchecked and uncheckable power. And, as we know and as history tells, unchecked powers are invariably abused. It's human nature. In the case of the unchecked empowerment of DMCA, we have seen the abuse right at its debut in court, against DeCSS.

In the case of DeCSS every cryptologist, and anyone with an average brain willing to follow the logic of discourse, can figure out what's going on, once dogmas are left out. The only access CSS *can* control, is access *to* DVD's meaningful content *by* unlicenced software. CSS does *not* protect copying of encripted DVD material -- CSSed DVD material can be copied, bit by bit, by any program accessing the DVD drive's hardware, with zero knowlege of DVD media's possible bitstream's syntax and semantics. CSS does *not* control access to DVD's material, whether the access is meaningful or not. Any copy of a CSSed DVD -- legal or not -- can be meaningfully accessed by any legal-or-not copy of a licenced DVD driver software. 

For instance, one can meaningfully view an illegal copy of a CSSed DVD (which can can be harnessed as described above), through an illegal copy (which most of us know how to get) of a licenced driver software, without any hindrance or detection by the encryption mechanisms. One only loses the intended meaning of one's viewing experience if one chooses an "unlicenced" driver software, or if one gets the wrong geographic matching of the originals DVD and licenced driver software. In the last two "ifs", the real effectiveness of CSS surfaces. 

CSS is a technological measure to control the *means of access* to copyrightable materials, not to control *access* to them. Its only effectiveness is for tying up two different types of products: CSSed DVDs and CSS-enabled DVD driver softwares. In other words, its only effectiveness is in forcing the viewer of a legally acquired CSSed DVD, to buy a certain type of software to view it. A software which will allow the buyer to have his viewing experience only if place of purchase of software and DVD match. And last but not least, a type of software only available to run on a certain type of operating system, a system whose owner/producer has already been condemned (in last stance, at Oct 9, 2001) for monopolistic predatory practices. This is Sherman's Act stuff, all the way. 

However, the only side DMCA allows into a valid position to say anything in this regard, says just the opposite. And the ones that stood up to prove that the type of access control attributed to CSS by its owner/producer/distributor is a fake, are condemned in the process of proving it, for having defeated its hidden purpose. While CSS's alledged intent was being skillfully miscronstrued, with its alledged intent being taken to be the same as its true effect, and its hidden purpose's defeat taken to be its alledged intent's violation. In the law's first test, in Kaplan's court, all this happened wiith lots of secrecy around the proceedings, demanded by the owner/producer/distributor plaintiff.

In the New York trials, judge Kaplan refused to consider the defendant's argument against the claim on CSS's alledged effectiveness, as such. Judge Kaplan did consider it, but not as such. Rather, he did considered it as proof of its alledged-intent-equal-its-true-effect's violation. This is Kafka stuff, all the way. No amount of wishful thinking can change the logic behind these facts, no matter how badly fogged it can make them. I will quote Bruce Schneier to close, but without quotation marks, for not recalling his exact words.

I am sorry to say this, but what we *wish* cryptography can do, may have nothing to do with what we *are able to harness* cryptography to do. It will be a good thing to stop believing naively, those who do, that technology can solve human problems. If well suited, it can solve at most technical problems. If not, it can aggravate human problems. Those who think otherwise don't understand neither technology nor their problems. DMCA is law about technology that refuses to delve into techological issues. Thus, it is coming up as a case of the latter, as CSS shows. 
 

From the Politch list, 15 Jan 2003
-----------------------------------

DMCA v garage door openers
 

From: Fred von Lohmann EFF
To: Declan McCullagh <declan@well.com>

In the latest bit of DMCA lunacy, copyright guru David Nimmer turned me  onto a case that his firm is defending, where a garage door opener company  (The Chamberlain Group) has leveled a DMCA claim (among other claims) against the maker of universal garage door remotes (Skylink).  Yet another case where the anti-circumvention provisions of the DMCA are  being used to impede legitimate competition, similar to the Lexmark case. 

Not, I think, what Congress had in mind when enacting the DMCA.

The Complaint: http://www.eff.org/IP/DMCA/ 20030113_chamberlain_v_skylink_complaint.pdf   The Amended Complaint: http://www.eff.org/IP/DMCA/ 20030114_chamerberlain_v_skylink_amd_complaint.pdf The Summary Judgment Motion: http://www.eff.org/IP/DMCA/ 20030113_chamerlain_v_skylink_motion.pdf Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation

---------------

Date: Wed, 15 Jan 2003 23:57:42 -0500
Subject: Re: FC: DMCA vs. The Garage Door Opener
From: "R. Polk Wagner" <polk@law.upenn.edu
To: declan@well.com

I don't see the lunacy.

The case features patent and various trademark-type claims as well. The DMCA provides one additional (albeit significant) argument - with the allegation being that Skylink is building devices that break whatever protection is wrapped around the code-rolling software.  It would seem to have the basic features of what Congress was intending with the DMCA: to make technological protections 'stick'.

Further, trying to control a complementary market to one's good (here, replacement door-opener remotes) is a very standard business tactic. And one that is implemented via a number of mechanisms: contracts, technology, and (gasp) intellectual property.  The discipline here is provided by the market - if Chamberlain uses its control of the replacement remote market in a way that diminishes the utility (or raises the overall cost) of their goods, then they'll suffer the consequences.  (Assuming, of course, that the market for garage-door opening systems is competitive, which seems a safe assumption.)

In some cases, it can be more efficient to allow the creator of the original good to control the complementary market; it may allow for better pricing mechanisms, or some quality benefits.  In other cases, it's not so good.  But in either event, given reasonable competition in the market for the original goods, this will get sorted out -- almost certainly in the consumer's favor.  Here, Chamberlain argues that the Skylink remotes 'break' the security features of the garage door system.

There are a number of problems with the DMCA.  But I'm not sure this is one of them, even if one doubts (as I do) whether this move is smart for Chamberlain's business.

Polk

Polk Wagner teaches intellectual property law at the University of Pennsylvania's 

 

Asunto: 

Re: FC: Polk Wagner: Garage door opener DMCA case is hardly "lunacy"

 Data: Thu, 16 Jan 2003 14:08:17 -0200
 De: rezende
 Para: Declan McCullagh <declan@well.com>, polk@law.upenn.edu

I don't see the lunacy.

The case features patent and various trademark-type claims as well. DMCA provides one additional (albeit significant) argument - with the allegation being that Skylink is building devices that break whatever protection is wrapped around the code-rolling software.  It would seem to have the basic features of what Congress was intending with the DMCA: to make technological protections 'stick'.

Dear Declan,

Allow me a comment on the above posting. Mr Wagner does not see the lunacy because he does not want to see what DMCA is effectively good (or perhaps really intended) for. 

One is excused from a naive and simplistic approach to what digital technology really is, and can do, if one is not from the field. Those who defend DMCA shall be reminded, as often as necessary, that technology is not produced by angelical beings but by human beings, whose nature happens to have a dark side. 

DMCA is not good for making technological protections 'stick', as prof. Wagner wants: APPROPRIATE technology, when POSSIBLE, is what is good for that, in which case protection 'sticks' by itself.

What DMCA is good for, is to make technological protection LABELS 'stick'. Laws like DMCA are only needed for protecting innapropriate technology, or better said, to protect outdated business models relying on innapropriate technology for its outliving. 

In the case of CSS, for example, encryption was given a copy protection label, but every cryptographer knows that criptography does not prevent copying. After some dispute, the label was changed to 'access control protection'. And again, it is not cryptography that protects access control, but appropriate key management. And CSS's key management is completely innapropriate for that, as shown by DeCSS. 

What CSS is good for, is to establish a "tie in" mechanism between DVD and DVD driver software markets. What CSS controls is the MEANS of access to DVD material, not the access itself. And has been doing that by limiting those means to those licensed to a monopolistic operating system, whose producer has already been convicted for predatory monopolistic practices. This is Sherman's Act stuff, all the way. 

However, anyone trying to reach a position of being able to assert, in court, whether or not a given technological measure such as CSS "effectively controls access to" something, will be violating DMCA in case the something is copyrightable material and the answer is no. The violation occurs in the very act of asserting the answer, beyond
reasonable doubt in the negative. 

The way the letter of DMCA really works, to protect such labels, is by shielding snake oil vendors from criminal responsibility for deceiving costumers, no matter what the intention of the legislator has been. The
letter of DMCA treats technology as creation of angelical beings. The Norwegian high court, on the case against DeCSS's alleged author (Jon Johansen), has shown us by example that Law need not treat it as such.

DMCA looks like an emanation from a mindset which is schyzofrenic with regard to the digital revolution. Trying to canonize DMCA and its supporters only exposes one paradox after another, at a mounting social
cost. 

Respectfully,

Prof. Pedro Antonio Dourado de Rezende