On April 26, 2001 Princeton professor Ed Felten and his co-authors withdrew their paper, "Reading Between the Lines: Lessons from the SDMI Challenge," from the Fourth International Information Hiding Workshop. Their decision, made on the day the paper was to be presented, was the result of threats made to the authors, the program committee members, and all of their employers by the Recording Industry Association of America (RIAA) and Secure Digital Music Initiative (SDMI). The basis for the threats is the Digital Millennium Copyright Act (DMCA), which criminalizes technologies and technological devices that can be used to circumvent technology measures used to protect copyrighted works. The same law was the justification for the arrest of Russian computer scientist Dmitri Sklyarov, who had written a program that breaks Adobe’s copy protection scheme.
In 1998, before the DMCA had become law, 49 computer security experts signed a letter (www.cerias.purdue.edu/homes/spaf/WIPO/index.html) in which they expressed the concern the DMCA could "criminalize many current university courses and research in information security, and severely disrupt a growing American industry in information security technology." At the time some people believed this concern was exaggerated. But recent events, as well as the refusal of some computer security researchers to attend conferences held in the U.S. and calls to move other conferences outside the U.S., have demonstrated that the concerns were well founded.
Because of concerns that ACM members and ACM itself could be subjected to civil or criminal prosecutions, the ACM Council voted in June to submit a legal document in support of Felten. The ACM declaration (www.acm.org/usacm/copyright/felten_declaration.html) is the ultimate result of that vote. Below is a FAQ explaining the case and the reasons why ACM decided to file the declaration.
Who are the plaintiffs?
Edward Felten, Bede Liu, Scott Craver, and Min Wu (all of whom were at Princeton University when the original paper was written); Min Wu is now at the University of Maryland; Dan Wallach, Ben Swartzlander, and Adam Stubblefield (all of whom were at Rice University); Ben Swartzlander is now working in Silicon Valley; Drew Dean, who was at Xerox PARC and is now at SRI International; and the USENIX Association. Princeton and Rice Universities are not plaintiffs.
Who are the defendants?
The RIAA, the SDMI, Verance Corp, John Ashcroft, in his official capacity as U.S. Attorney General, and unknown individuals or companies that developed some of the technologies used in the SDMI Public Challenge.
Why have Felten and his co-authors filed a legal case?
Felten et al. had entered a contest sponsored by the SDMI "inviting people to attempt to crack certain technologies they are considering for use in their system. They [SDMI] set up a Web site where music samples and some other information could be downloaded to aid in analyzing the technologies" (see www.cs.princeton.edu/sip/sdmi/faq.html#A1).
Most Y2K work might have been made illegal, had the anticircumvention provisions been activated at the time.
The researchers defeated the four watermarking technologies in the challenge. They chose not to attempt to collect a cash prize, because a precondition for receiving the prize was the signing of a confidentiality agreement prohibiting any public discussions of their research. Instead, they submitted their paper to the Fourth International Information Hiding Workshop, and it was accepted. Shortly before the workshop was to begin, the authors were threatened by the RIAA and the SDMI. A copy of a letter received by Felten is at www.cs.princeton.edu/ sip/sdmi/riaaletter.html. In addition to the written threat, all of the authors, their employers, all of the program committee members and their employers were threatened. Ultimately, the authors chose to withdraw their paper from the workshop.
The paper was subsequently presented at the 10th USENIX Security Symposium in August. The authors of the USENIX paper, together with USENIX, are now plaintiffs in a Declaratory Judgment suit filed June 6 against the RIAA, the SDMI, Verance, and U.S. Attorney General John Ashcroft. This is the case for which ACM has submitted a declaration.
What was the justification for the threat?
Felten et al. were threatened under the anticircumvention provisions of the DMCA.
What agreement, if any, was made by Felten et al. when they entered the contest?
The RIAA and SDMI stated in a letter to Felten that "any disclosure of information that would allow the defeat of these technologies would violate both the spirit and terms of the Click-Through Agreement," which claims to preserve all rights under the DMCA. Felten et al. claim "the DMCA did not apply to this challenge, since SDMI granted explicit permission to study their technologies." (www.cs.princeton.edu/sip/ sdmi/faq.html). They further claim that by not signing the confidentiality agreement required in order to be eligible for the prize, they are free to publish their results.
The RIAA and SDMI have recently stated they "have no intention of bringing a lawsuit against Felten or his colleagues." They did not give their reasons for backing off from their initial threats and claims.
Why should the ACM care about the outcome of the case?
ACM’s various publications have published articles on topics such as watermarks, encryption, authentication, access control systems, tamper resistance, and threat and vulnerability assessment. If any of these articles could be interpreted as dealing with "a technological measure [that] effectively controls access to a work," ACM might find itself at risk.
One of ACM’s primary goals in submitting a declaration is to minimize the possibility of being a defendant in some future anticircumvention case. The declaration describes ACM, its scholarly activities relating to publishing and the holding of conferences, and the potential implications of the anticircumvention provisions of the DMCA on what ACM does.
Could an ACM member be in danger of being a defendant in a civil or criminal case based on the DMCA?
Yes. That is precisely what ACM members Ed Felten and Drew Dean, as well as their co-authors, were threatened with by the RIAA and SDMI. As stated in the declaration, ACM is also concerned about the potential implications of the DMCA for its November 5, 2001 Workshop on Security and Privacy in Digital Rights Management (see paragraphs 1623 of the declaration).
How is a declaration different from an amicus brief? Why is a declaration preferable in this case?
A declaration is a factual document viewed as evidence in the court. It can be cited by both parties, and it must be considered by the court if it is relevant and admissible. Therefore, we are assured that ACM’s interests will be reviewed by the court. An amicus brief (literally, a friend of the court) is not evidence and need not be considered by the court. An amicus is suggestions only to the court. An amicus can discuss facts that might be of interest to the court, but it usually focuses on law or policy issues.
What is it about the DMCA that has us concerned? What is meant by "the anticircumvention provisions of the DMCA"?
Briefly, Section 1201 of the DMCA criminalizes technologies and technological devices that can be used to circumvent "a technological measure that effectively controls access to a [copyrighted] work." The law does not address issues such as the robustness of a technological measure. The publication of an analysis of flaws in a weak and poorly designed technology that is supposed to control access to a copyrighted work could be considered a violation of the DMCA.
A critical aspect of the anticircumvention provisions of the DMCA is that intent to circumvent copyright is not a requirement for being found in violation of the law. In other words, someone who has made no illegal copies of a copyrighted work and who intends for his or her work to be used only to better understand some aspect of science could be charged under the DMCA. (Section 1201 of the DMCA can be viewed at eon.law.harvard.edu/openlaw/DVD/1201.html.)
An alternative bill was proposed at the same time as the DMCA by Campbell (R) and Boucher (D). Their bill, opposed by large content owners, would have required that there be intent to infringe copyright before someone could be found in violation of the law. Specifically, section 1201 of the Campbell/Boucher bill begins: "Circumvention conduct—No person, for the purpose of facilitating or engaging in an act of infringement… ."
What is meant by the "antidissemination provisions of the DMCA"?
Section 1201 says that "no person shall … offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that… ." "Offer to the public, provide, or otherwise traffic in" could be interpreted to include presenting talks and publishing papers. This appears to be the interpretation the RIAA and SDMI had in mind when they threatened Felten et al.
How does the DMCA define notions like circumvention and controlling access to a work?
The definitions for 1201 are contained in subsection 1201(a)(3), quoted in its entirety here:
- "As used in this subsection—
- (A) to ‘circumvent a technological measure’ means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
- (B) a technological measure ‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work."
There are significant implications for encryption research and development in this definition. In addition, 1201 could be used to prevent reverse engineering for the purpose of detecting bugs in software, removing viruses, or, possibly, even removing code that may engage in activities the user doesn’t want, such as reading the contents of the user’s hard disk. Most Y2K work might have been made illegal, had the anticircumvention provisions been activated at the time.
What are the plaintiffs hoping to accomplish?
They are filing a Declaratory Judgment suit asking the court to determine that the presentation and publication of the paper by Felten et al. is not in violation of the DMCA.
They also have asked the court to set a formal interpretation of the DMCA so future papers are not threatened and, if this is not possible, to declare the portions of the DMCA that reach scientific publication unconstitutional. Finally, they have sought an injunction to prevent either civil or criminal actions against them for publishing the paper.
If the plaintiffs win, what might the impact be on ACM?
It depends on how far up the court system the case progresses and how broad or narrow the ruling is. The optimal outcome from ACM’s perspective would be a ruling by the Supreme Court declaring the anticircumvention provisions of the DMCA to be unconstitutional. At the other extreme would be a dismissal of the case on the grounds that the RIAA et al. have promised not to sue.
If the plaintiffs lose, what might the impact be on ACM?
If this were to happen, ACM could find itself in a very difficult situation. ACM might need to hire attorneys to review conference and journal submissions that could possibly be in violation of the anticircumvention provisions of the DMCA. ACM might even need to terminate conferences and cease publications in some areas of computer security and encryption. Whatever path ACM were to take, there would be a chilling impact on ACM’s ability to publish freely and on the ability of ACM’s members to conduct research and to present their results to the public.
Does the ACM declaration in any way raise objections either to copyright or to technologies for digital rights management (DRM)?
No. In fact ACM is sponsoring a workshop on DRM technologies.
What does USACM have to say about the Felten case and the DMCA?
USACM, the U.S. Public Policy Committee of ACM (www.acm.org/usacm/), was opposed to the anticircumvention provisions of the DMCA before it even became law. Quoting from a recent USACM press release:
- "USACM is concerned about the DMCA, because it interferes with noninfringing, legitimate science and research beyond simply prohibiting copyright infringement. It does this by placing overly broad restrictions on technology and communication."
Does ACM have any legal exposure because it has submitted a declaration?
No. ACM is neither a party nor a litigant in the case, and the law recognizes a broad prohibition on legal liability based upon statements made to a court. ACM is simply submitting a statement based on its own specific concerns regarding the issues raised in the case.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment