Dr. Dobb's | Legal and Binding

Legal and Binding

The DMCA threatens Internet open standards development and could make research into protection mechanisms illegal.

February 11, 2002
URL:http://www.drdobbs.com/legal-and-binding/184413233

There is a conflict in cultures between Internet engineering and the technical practices of the U.S. entertainment industry. The Digital Millennium Copyright Act (DMCA) was born of that clash.

One of the more alarming aspects of the DMCA is that it discourages the creation of technologies that "circumvent" a "copyright protection system" (CPS). A "circumvention device" is hardware or software that lets people override the CPS controls on storage, processing, or output of digital content. By some interpretations, this definition could include most research and development into Internet and information technologies, especially work on open standards.

Those who favor the DMCA often argue that research into the flaws of a technology is a form of circumvention, and thus illegal. Developers involved in such research could face civil prosecution or threat of prosecution, as in the case of Edward Felton, a Princeton computer science professor. Felton and his team defeated four watermarking technologies designed to protect digital music. The music industry tried to suppress the team's results with a threatening letter (www.cs.princeton.edu/sip/sdmi/announcement.html).

Exposure of CPS flaws for commercial gain could result in criminal prosecution. Consider the case of Dmitry Sklyarov, a Russian computer professional who was jailed for giving a lecture on how to defeat the copyright protection scheme used for many e-books and proprietary documents. (See Bret Fausett's "DRM For the Forces of Good" in the November 2001 issue of Web Techniques.)

These concerns haven't been lost on open standards advocates. And though the DMCA probably won't succeed in restricting research and development of open-standard technologies, the battle may be long and costly nonetheless.

Internet vs. Entertainment

The way Internet standards are created resembles Internet data sharing, where information products flow freely. Organizations such as the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) publish open standard technology specifications that are available to anyone interested in writing a computer program or bringing a new product to market. Unlike the IETF and W3C, however, the entertainment and consumer electronics industries license their technology for a price.

The right to license is based on the companies' patent pools, their intellectual property rights on certain technologies. Companies that own patents can license their technology to digital entertainment device manufacturers. The license usually places constraints on how content is processed, stored, and output on a particular digital entertainment device.

Open-standard and proprietary-licensed technologies are complementary. Open standards are essential for interconnecting computers, but technology licensing is useful in preventing unsecure or unsafe modes of operation. While both approaches are necessary, the DMCA threatens the open-standard approach.

For this reason, the DMCA is dangerous to scientific investigation and engineering practices in the U.S. and worldwide. The DMCA may extend the reach of licensing authorities beyond their patent pools to encompass technologies that are in the public domain or are the intellectual property of others.

Research in Peril

Many fear that the DMCA could make published research into technology, such as essential cryptographic research, a legal offense.

For instance, should a CPS use a standard cryptographic algorithm, like the Advanced Encryption Standard (AES) of the U.S. National Institute of Standards and Technology (NIST), or the IETF's Hash-based Message Authentication Code (HMAC)? It's a good question. But research into these technologies may become subject to the DMCA's provisions.

Electronic Frontier Foundation (EFF) legal experts have cautioned that media and consumer electronics companies might assert the DMCA coverage of AES, HMAC, SSL, and other public domain technologies. Corporate attorneys are already beginning to suggest that scientists and engineers avoid CPS research. But no one can suppress the facts about much of this technology. So what are those facts? First, watermarks can be imperceptibly altered as researchers Fabien Petitcolas and Ross Anderson determined in their paper, "Attacks on Copyright Marketing Systems" (citeseer.nj.nec.com/petitcolas98attacks.html). Furthermore, tamper-resistant software is always vulnerable to circumvention attacks. Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, has made a good case for why steganography and information-hiding techniques aren't secure when they're in devices that are completely under an attacker's control.

Nonetheless, copyright protection systems incorporate encryption, authentication, key management, and other cryptographic technologies that need public evaluation. Unfortunately, with threats of prosecution, the DMCA will discourage anyone from looking into these technologies.

It may sound Orwellian, but in some cases, a mere statement of fact (a product uses a ROT-13 cipher, which is vulnerable to Caesar cipher attacks) can lead to criminal or civil prosecution.

Experts generally agree that public evaluation aids development of the best cryptographic algorithms and protocols. In many cases, people are encouraged to find vulnerabilities, which need to be identified as early as possible, though not necessarily publicized. Both open standards, and licensed standards used in copyright protection systems, risk falling victim to weaknesses that inevitably become known.

Unfortunately, the DMCA may effectively suppress academic efforts to find weaknesses, leaving criminals to the task.

Assessing the Damage

So how will the DMCA threat affect the future of development? Scott Bradner, an area director in the Transport Area of the IETF, notes, "Our lawyers have cautioned us not to disregard the threat," But he adds, "the likelihood of the IETF being challenged under DMCA is very small...The public image of a copyright holder that sued the IETF for trying to improve Internet security would be badly damaged."

However, I agree with Thomas Hardjono, my fellow co-chair of the Internet Research Task Force DRM Research Group, that IETF standards included in a CPS might invite DMCA scrutiny. Thus, CPS licensing may negatively affect the open standard technologies that a CPS uses, such as AES, naming or identification technology, directories, PKI, and other open standards.

Even technologies that aren't incorporated into a particular CPS may be subject to DMCA prohibitions. For example, a company could construe generic work in altering watermarks as an effort toward circumventing their particular watermark. The same is true for key management or digital object identification, definition, and location technologies.

You can begin to see how the DMCA specter haunts technologies that have no special application to DRM.

Room for Everyone

Open standards have the potential to complement licensed standards, but the DMCA puts them at odds. Both open and licensed approaches are effective ways to develop technology standards, and each has its place. When a patent exists and is exercised, sometimes the only way to get a good technology out to the public is to license it.

4C Entity, the company that produced and now licenses the Content Protection For Recordable Media Specification, has opened its C2 cipher to public review. Licensed technology undoubtedly can provide good solutions, but cumbersome CPSs will make consumer electronics devices more expensive. The DVD Content Scrambling System (CSS) and later CPS technologies, for example, use much shorter keys than 128-bit AES. These keys are often stored on the particular device. Using longer keys does very little to prevent key theft, and the key will come under attack before the cipher.

In a recent incident, an academic group reported that it had broken through High-bandwidth Digital Content Protection (HDCP), the CPS technology for video displays. The attack didn't involve any scientific breakthroughs, but rather application of a known cryptographic principle.

Many critics of copyright protection systems opportunistically argue both that CPSs should not exist, and that particular CPSs (for example, HDCP, or Acrobat) are too weak. Weaknesses generally aren't due to the proprietary nature of the technology, but to various technical trade-offs that apply equally to the use of open standard technology as well.

A particularly weak CPS will fail to "keep honest people honest," which is the main function of technical protection measures. Appropriate inclusion of open standard technologies for encryption, authentication, or key management will eliminate potential weaknesses in a CPS. Open-standard technologies that withstand the scrutiny of the scientific and engineering communities are less vulnerable to surprise attacks and are valuable complements to licensed technologies.

Open standard protocols also excel in their ability to interconnect many types of devices. CPS developers can cheaply and quickly connect a CPS to external devices, such as authorization key servers, and efficiently interconnect CPSs. Open-standard Internet protocols for naming, locating, requesting, and transporting data items are essential to the operation of any device on an Internet Protocol network.

Why They'll Need Open Standards

Many studios and record labels have attempted or are attempting to start Internet-based businesses. Napster was arguably the most successful Internet entertainment venture to date. Many consumers want to use a service to share music on the Internet, but today there are likely few services that are operating completely within regional laws, at least in the U.S. Rather than serve up compelling businesses such as Napster, some big entertainment companies have served up the Hollings Bill, which places severe constraints and costs on digital devices by requiring CPS to be embedded in digital devices. (See the sidebar, "Race Against Time.")

The problem with forcing CPS technology is that copyright protection systems cannot prevent copyright violation, as repeatedly demonstrated by DeCSS and other tools. Even if someone were to invent an unbreakable CPS that was widely deployed for, say, movies, a customer could nonetheless rip a movie after the signal has been decrypted and put it onto the Internet for widespread distribution.

Conventional law enforcement will be the only recourse for rights holders. Complex CPS technology behaves as Schneier described it, it doesn't deter the professional and is overkill for ordinary users who might be tempted to make a copy.

Fortunately, selling copyrighted content without tight restrictions isn't always considered sinful. A compelling content-trading service will let its customers use content works in a variety of ways. If a consumer wants to make a copy, the company will provide a service to make copies; if the consumer wants to write the content work to a DVD, a good service will provide a DVD writing service; and so on. A technology VP from a major media company told me that his firm wasn't opposed to copying per se, but that the company doesn't yet know how to match consumer preferences for using content works.

This is not an engineering problem, but a series of legal and logistical issues among rights holders. Even a copyright protection system is secure when its users and owners have a stake in protecting its secrets and keeping it functioning properly. It's likely that most people prefer to spend time enjoying content over configuring nodes on an illegal content-trading network.

Because we don't conclusively know consumer preferences for using Internet content-trading, and because the necessary business models aren't in place, technologies must be very flexible. Open standards are flexible because they introduce modularity and interoperability. Internet open-standard technologies may not hide content works on computers or enforce copyright provisions in an entertainment appliance, but open protocols provide the infrastructure for businesses that trade in content works on the Internet. These businesses need open development.

Where Will It End?

This is less of a rant against the DMCA and more of a prediction. One might reasonably predict that the DMCA will encounter stiff resistance in the short run and leave little effect on open standards in the long run. This is because the underlying content protection technologies are inevitably weak, even though they may use some of the most important technologies in the public domain (such as the Advanced Encryption Standard or Internet key management). It's hard for me to imagine that U.S. and international research and development into such technologies could be shut down by the DMCA. It's certainly possible, but hopefully the impending legal battles will loosen restrictions.

Open standards guided by the principle of end-to-end interoperability provide a cheap way to interconnect devices on a global scale. It's cheaper for the provider and the user because open standards make it possible to remove a part without drastically affecting the whole. If a particular CPS or player or codec isn't suitable for a service, it's easier to replace when these devices connect through standard protocols. This is a cost savings to operators and their customers; it also encourages rapid deployment of new devices.

Standards built on licensed technology complement open standards when licensing terms and conditions are needed. A licensing authority can constrain a licensee to use a technology in secure or safe ways. Even the best technology, such as the RSA algorithm, can be compromised when used incorrectly. Big entertainment and consumer-electronics companies will likely insist upon using licensed technology for their information products, and will want technical protection measures to protect copyrighted products.

On the Internet, however, such copyright protection systems will need to use standard services for naming and identifying digital items, for locating digital items, for secure transactions with Web sites, for encryption, decryption, and key management. The infrastructure necessary for digital rights management and copyright protection systems are only a small part of it.

It's unreasonable to expect that all of these technologies and standards will be duplicated in the form of licensed technologies. It's more likely that licensed technologies will use open-standard technologies that must continue to be developed without hindrance from the DMCA.

Mark Baugher is co-chair of the Internet Research Task Force DRM Research Group and former chair of the Internet Streaming Media Alliance DRM Task Force. He contributes to the GDOI group key management protocol in the IETF MSEC Working Group and the Secure Real Time Transport Protocol in the IETF AVT Working Group. Mark joined Cisco Systems in 2001 and currently works on cryptographic security in the Core IP Engineering Division.

Race Against Time
by Neil McAllister

As a former general counsel to the CIA and a recipient of that agency's highest honor, when it comes to security issues, Michael O'Neil knows what he's talking about. And lately, he's been worried. Speaking before an audience of computing industry representatives at the Microsoft Trusted Computing Forum in November 2001, O'Neil couldn't have been more blunt. "Help yourselves," he urged. "Fix security soon, or Washington will do it for you."

He was referring to the proposed Security Systems Standards and Certification Act (SSSCA), currently making the rounds in Congress. Sometimes called the "Hollings Bill," the legislation was drafted by Senator Eugene "Fritz" Hollings (D-SC) as an attempt to force the software industry to improve the security of network infrastructures.

"There is little financial incentive for private companies to enhance the security of the Internet and other infrastructures as a whole," the draft bill reads. "The Federal government will need to make investments in this area to address issues and concerns not addressed by the private sector."

The idea of such "investments" is troubling to security experts like O'Neil, who fear an ill conceived, knee-jerk response from Capitol Hill in light of the recent terrorist attacks. "Congress is going to want action on security," he said, "not because it might be effective, but because they need to do something." O'Neil encouraged his audience to take proactive steps to improve security before lawmakers took the issue out of their hands.

Jack Valenti couldn't agree more. A month after the Trusted Computing Forum, Valenti, president and CEO of the Motion Picture Association of America (MPAA) echoed O'Neil's words during a one-day workshop on broadband and digital content organized by the U.S. Commerce Department. "If we don't sit down and talk, others will do this for us," he said.

Valenti is no security expert, but he is one of the most outspoken adversaries of what he calls "the tyranny of piracy" threatening the American film and television industry. While O'Neil's comments sprang from a sincere belief that action is necessary, many view Valenti's sentiments as the clearest possible example of the dark side of the SSSCA.

Opponents of the legislation see its ambiguity as an open door for new legislation that could mandate digital rights management (DRM) for consumer electronics devices. The draft bill's provisions extend not merely to Internet servers, but to any "interactive digital device," a term so broad that some believe it could include nearly anything, from PDAs to video game consoles to televisions. And, in a nod to the Digital Millennium Copyright Act, the SSSCA would make it a crime to disable any electronic security measures approved by Congress.

Taken in that context, some analysts see Valenti's comments not as a warning, but as a threat. Help me push for rights-protected content across every media format, the Washington insider and former aide to President Johnson seems to be saying, or I'll have my friends in Congress do it for me.

Little wonder, then, that Microsoft has gone to such lengths to introduce DRM technologies into its OS and media platforms. What company could be more gun-shy of government intervention than the Redmond giant? According to Andy Moss, Microsoft's director of technology policy, it would much rather see market forces determine such issues. Asks Moss, "Where's the evidence the marketplace doesn't work?"