Presentation is loading. Please wait.

Presentation is loading. Please wait.

2/21/00Financial Cryptography '001 TOWARDS MORE SENSIBLE ANTI-CIRCUMVENTION REGULATIONS Pamela Samuelson, UC Berkeley, Financial Cryptography ’00 February.

Similar presentations


Presentation on theme: "2/21/00Financial Cryptography '001 TOWARDS MORE SENSIBLE ANTI-CIRCUMVENTION REGULATIONS Pamela Samuelson, UC Berkeley, Financial Cryptography ’00 February."— Presentation transcript:

1 2/21/00Financial Cryptography '001 TOWARDS MORE SENSIBLE ANTI-CIRCUMVENTION REGULATIONS Pamela Samuelson, UC Berkeley, Financial Cryptography ’00 February 21, 2000

2 2/21/00Financial Cryptography '002 OVERVIEW OF TALK Origins of new legal regulations concerning circumvention of technical protection systems Overview of act-of-circumvention and anti- device rules Why these rules are troublesome Possible paths to rectifying the problems

3 2/21/00Financial Cryptography '003 CIRCUMVENTION IN CONTEXT Before a group of cryptographers, it is wise to recognize that this community regards circumventing TPS and making tools to circumvent TPS as natural and good (can’t improve security without trying to break it) But now that other industries are using encryption, they have different perspectives Hollywood, in particular, likens circumvention to “breaking & entering,” and software to do this as “burglars’ tools”

4 2/21/00Financial Cryptography '004 WHY ANTI- CIRCUMVENTION REGS? U.S. “White Paper” on Intellectual Property & the NII (1995) (its author = former copyright lobbyist) Proposed to outlaw tools (sw or hw) whose “primary purpose or effect” was to bypass TPS used by copyright owners to protect their works Nearly identical provision proposed for international treaty Copyright industries were strong supporters of Clinton; stronger copyright laws as quid pro quo

5 2/21/00Financial Cryptography '005 MORE ON WHY White Paper anticipated global market for digital copyrighted works TPS to overcome vulnerability to “piracy” Need for legal reinforcement for TPS to outlaw circumvention/piracy-enabling tools “Not unprecedented” (DAT law, satellite broadcasting “black-box” decoders)

6 2/21/00Financial Cryptography '006 DEVELOPMENTS IN ‘95-’96 WP legislation was highly controversial Anti-circumvention only 1 of several problems (most attention to ISP liability) Equipment mfrs: unfair to hold responsible for what users do; can’t respond to all TPS; need for exceptions So broad, NSA could have been shut down (because they make tools to circumvent TPS & virtually all content “sniffed” is copyrighted)

7 2/21/00Financial Cryptography '007 WIPO DEVELOPMENTS Diplomatic conference at the World Intellectual Property Organization in Geneva in Dec Draft treaty contained variant on US a/c proposal A/c provision was highly controversial: worries about effect on public domain, fair use, technological development Compromise in final treaties: “adequate” protection and “effective” remedies vs. circumvention of TPS

8 2/21/00Financial Cryptography '008 POST-WIPO EVENTS Post-WIPO clash of titans over ISP liability: Hollywood v. telcos/ISPs Compromise on ISP issue (“safe harbors”) broke logjam in March 1998 Political capital largely spent on ISP issue Some compromise as to anti-circumvention regs in DMCA, but not as to tools provision US pushing other countries to adopt its rules

9 2/21/00Financial Cryptography '009 ACT-OF-CIRCUMVENTION Treaty so vague that legislation not needed in US, but even if so, only as to circumvention Campbell-Boucher bill: proposed to outlaw circumvention of TPS to enable copyright infringement MPAA: wanted all circumvention outlawed Compromise in DMCA: illegal to circumvent access control, 17 U.S.C. s. 1201(a)(1) 2 year moratorium; LOC study; 7 exceptions

10 2/21/00Financial Cryptography '0010 EXCEPTIONS TO 1201(a)(1) Legitimate law enforcement & national security purposes Reverse engineering for interoperability Encryption research and computer security testing Privacy protection & parental control Nonprofit “shopping privilege”

11 2/21/00Financial Cryptography '0011 ANTI-DEVICE PROVISIONS Illegal to “manufacture, import, offer to public, provide or otherwise traffic” in Any “technology, product, service, device, [or] component” If primarily designed or produced to circumvent TPS, if only limited commercial purpose other than to circumvent TPS, or if marketed for circumvention uses

12 2/21/00Financial Cryptography '0012 MORE ON DEVICE RULES 1201(a)(2)--devices to circumvent effective access controls 1201(b)(1)--devices to circumvent effective controls protecting right of cop. owners Actual & statutory damages + injunctions Felony provisions if willful & for profit MPAA v. Reimerdes 1 st civil case

13 2/21/00Financial Cryptography '0013 MPAA v. REIMERDES Injunction vs. posting of DeCSS on websites or otherwise making it available CSS is effective access control for DVDs DeCSS circumvents it & has no other commercially significant purpose Lack of evidence for Linux compatibility argument Besides, 1201(f) only protects interoperation with programs, not “data” on DVD

14 2/21/00Financial Cryptography '0014 DVD-CCA v. McLAUGHLIN Trade secret misappropriation case Not just vs. posting, but also vs. linking CSS = proprietary information; DVD-CCA took reasonable steps to maintain secret Inference: someone must have violated clickwrap license forbidding reverse engineering Even though DeCSS on web for 4 months, not to enjoin would encourage posting TS on Web Judge upset by “boasting” about disrespect for law

15 2/21/00Financial Cryptography '0015 IMPLICATIONS OF DVD-CCA Anti-reverse engineering clauses are common in software licenses; enforcement worrisome Willingness to enforce and treat information obtained through reverse engineering as trade secret also worrisome Willingness to enjoin information that has been public for several months may be error “Fruit of poisonous tree” rationale (judge knows Johansen didn’t reverse engineer, nor did many posters, yet held as trade secret misappropriators)

16 2/21/00Financial Cryptography '0016 CURIOUS THINGS ABOUT 1201 Only 3 exceptions to 1201(a)(1) explicitly allow building tools Only interoperability exception limits both anti-device rules Did Congress mean to allow circumvention to make fair use, yet make it illegal to make tools needed to accomplish? (Ha! Ha!) LOC to study only act, not device rules

17 2/21/00Financial Cryptography '0017 PROBLEMS WITH A/C REGS Legitimate purpose circumventions –existing exceptions overly narrow –need for general purpose exception –clarify that fair use circumvention is OK “Dual use” technologies –tools to enable legitimate uses –how device rules could be narrowed Copyright-centric regulations

18 2/21/00Financial Cryptography '0018 EXCEPTIONS TOO NARROW Interoperability: not just programs; other reverse engineering may be legitimate Encryption and computer security research: –no authorization and expert requirements –OK to make tools –less onerous rules on disseminating results Privacy exception: Windows 2000 hypothetical (see BTLJ paper)

19 2/21/00Financial Cryptography '0019 A GENERAL PURPOSE EXCEPTION? Need for “or other legitimate purpose” exception to access control rule Examples of other legitimate acts: –if reasonable grounds to believe infringing copy or computer virus inside TPS –illegitimate invocation of “technical self-help” Courts able to tell difference between legitimate & illegitimate acts

20 2/21/00Financial Cryptography '0020 DUAL USE TECHNOLOGIES Circumvention tools are not burglars’ tools Ways to narrow rules: –substantial noninfringing use standard – intent/knowledge/injury/infringement requirement –commercially significant cf. apparent legitimate purpose (freeware should not be vulnerable) –technology-specific (e.g., circumvention of SCMS) Think through relation between range of legitimate circumventions and availability of tools (if X is lawful, tool to do X should be OK)

21 2/21/00Financial Cryptography '0021 COPYRIGHT-CENTRICITY Encryption protects more than commercial copyrighted products (e.g., private personal communications, trade secret/confidential business information, e-cash) Circumvention of encrypted information is a more general problem (sometimes legitimate, sometimes not) So is the availability of circumvention technology Would suggest the need for a general law

22 2/21/00Financial Cryptography '0022 UNINTENDED CONSEQUENCES? Copyright law protects “original works of authorship” from moment of 1 st fixation Private is copyrighted, so are business documents If encrypt to control access, circumvention would be illegal under 1201(a)(1), even if legitimate reason (e.g., employer has reason to believe contents are pornographic) Less clear 1201(a)(1) applies to e-cash (although circumvention a problem here too)

23 2/21/00Financial Cryptography '0023 UNINTENDED CONSEQUENCES? X makes software that circumvents Y’s encryption system Z is a copyright owner who decides to use Y’s encryption system to protect digital pictures Does X’s tool then become illegal? Can Y sue X? Can Z sue X? What harm has X’s software done to Y or Z? 1201 (a)(2) and (b)(1) does not require any underlying infringement; mere potential is enough

24 2/21/00Financial Cryptography '0024 WAYS TO CHANGE RULES Common law interpretation (some judges will stretch existing exceptions) Legislative amendments to 1201 –broaden encryption/computer security exceptions –general purpose exception –narrow tools provision Broadened LOC studies/rulemaking

25 2/21/00Financial Cryptography '0025 LIBRARY OF CONGRESS STUDY Main focus: consider impact of act-of- circumvention rules on fair use and other noninfringing uses LOC can issue rules exempting works or user groups from act-of-circumvention rules Need for study of impact of anti-device rules because overbroad and contradictory to other aspects of 1201 Potential for deleterious consequences (e.g., “strike suits” & “chilling effects”)

26 2/21/00Financial Cryptography '0026 CONCLUSION Copyright industries intend to exercise substantial control over encryption policy They may have a myopic perspective (but they think cryptographers are myopic) Good news is that encryption research/computer security testing is exempt in US (but not in EU) Bad news is that the US is promoting overbroad anti-device rules outside US 1201 unlikely to be repealed, but could be better & you can help make it so


Download ppt "2/21/00Financial Cryptography '001 TOWARDS MORE SENSIBLE ANTI-CIRCUMVENTION REGULATIONS Pamela Samuelson, UC Berkeley, Financial Cryptography ’00 February."

Similar presentations


Ads by Google