[Infowarrior] - Seeking changes to the DMCA

Fri Mar 31 18:51:41 EST 2006

Seeking changes to the DMCA

By Declan McCullagh
http://news.com.com/Seeking+changes+to+the+DMCA/2100-7348_3-6056616.html

Story last modified Fri Mar 31 13:48:24 PST 2006

WASHINGTON--Because of a controversial 1998 copyright law, it may be illegal
to defang even potentially harmful software, like the anticopying technology
found on some Sony BMG Music Entertainment CDs.

But those strict legal restrictions should stay in effect, entertainment
industry lobbyists said Friday, when they urged the U.S. Copyright Office to
avoid making any changes to the Digital Millennium Copyright Act.

"There are many other avenues to address these questions, and certainly many
other laws that may be relevant in this circumstance," said Steven Metalitz,
a senior vice president at the International Intellectual Property Alliance.
The group represents large copyright holders.

Computer security experts have asked the Copyright Office to alter the DMCA
to protect their research. Edward Felten, a professor of computer science at
Princeton University, said Friday that he and graduate student J. Alex
Halderman uncovered the Sony problem a month before the news about it broke
in November--but feared a lawsuit under Section 1201 of the DMCA if they
disclosed it without the record label's authorization.

Because of the lag time, "a great many of consumers were at risk every day,"
Felten said. "Our exemption request is fundamentally asking for protection
for those consumers."

Under federal law, the Copyright Office is required to solicit public
opinion every few years on whether any amendments--called "exemptions"--to
the DMCA are necessary. Section 1201 of the law broadly restricts
circumventing "a technological measure that effectively controls access" to
a copyrighted work.

Sony rootkit's lesson
In the past, security researchers would notify the vendors first of any
bugs, but now they're afraid to disclose such flaws without first consulting
a lawyer, Felten said. He added that the DMCA has discouraged security
researchers from embarking on new projects and has driven some away from the
field. (Felten once was threatened with a DMCA lawsuit by the recording
industry for exposing weaknesses in a music-watermarking scheme.)

After a public outcry last fall, Sony voluntarily said it would halt
production of certain copy-protected CDs. Those CDs installed a bundle of
software, including a "rootkit" used to mask the presence of copy-protection
software--and, if abused, malicious programs as well. The incident prompted
one Homeland Security official to suggest banning rootkits.

Aaron Perzanowski, a law student at the University of California at
Berkeley's Samuelson Law, Technology and Public Policy clinic, and clinic
director Deirdre Mulligan, said that Felten could have been subject to legal
liability if he had disclosed his findings about the Sony rootkits. After he
found the flaw, Felten said he called lawyers and spent a month in
negotiations with them, and decided not to publish his results right away.
Programmer Mark Russinovich did instead.

Lobbyist Metalitz offered a detailed list of reasons why he said such an
interpretation of the DMCA was incorrect. The law already provides
sufficient protection in Section 1201 for researchers like Felten to do
their work, he said. (That section, 1201(j), permits bypassing anticopying
technology "solely for the purpose of good faith testing, investigating, or
correcting, a security flaw or vulnerability.")

But in the Sony BMG incident, the record label's first crack at an
uninstaller proved riddled with new problems, Felten said, and even the
latest version of the patch won't prevent reinstallation of the rootkit each
time the type of copy-protected CD is inserted into a computer. Felten and
other security professionals have been able to devise alternative
uninstallers that would prevent such reinstallation indefinitely, but are
worried that their "unauthorized" methods could get them sued.

"It's this uncertainty that creates the very risk," agreed Matthew Schruers,
a lawyer for the Computer and Communications Industry Association, whose
members include Sun Microsystems, Verizon and Yahoo. "So that raises for me
a perplexing question: Why on earth are we putting cybersecurity in the
hands of copyright lawyers?"

Previous DMCA exemptions granted by the Copyright Office include:
Researchers into filtering could study blacklisting techniques, and obsolete
copy-protection schemes could be legally bypassed.

When reviewing the DMCA, the Librarian of Congress is required to consider
the impact that the anticircumvention sections have "on criticism, comment,
news reporting, teaching, scholarship, or research (and) the effect of
circumvention of technological measures on the market for or value of
copyrighted works."

The Copyright Office received more than 100 comments on its notice of
proposed rulemaking published last year and plans to release its final
determinations by the end of October. Marybeth Peters, the Register of
Copyrights, said that the office has reached no conclusions yet on any of
the exemptions yet.