Research in Peril
Many fear that the DMCA could make published research into technology, such as essential cryptographic research, a legal offense.
For instance, should a CPS use a standard cryptographic algorithm, like the Advanced Encryption Standard (AES) of the U.S. National Institute of Standards and Technology (NIST), or the IETF's Hash-based Message Authentication Code (HMAC)? It's a good question. But research into these technologies may become subject to the DMCA's provisions.
Electronic Frontier Foundation (EFF) legal experts have cautioned that media and consumer electronics companies might assert the DMCA coverage of AES, HMAC, SSL, and other public domain technologies. Corporate attorneys are already beginning to suggest that scientists and engineers avoid CPS research. But no one can suppress the facts about much of this technology. So what are those facts? First, watermarks can be imperceptibly altered as researchers Fabien Petitcolas and Ross Anderson determined in their paper, "Attacks on Copyright Marketing Systems" (citeseer.nj.nec.com/petitcolas98attacks.html). Furthermore, tamper-resistant software is always vulnerable to circumvention attacks. Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, has made a good case for why steganography and information-hiding techniques aren't secure when they're in devices that are completely under an attacker's control.
Nonetheless, copyright protection systems incorporate encryption, authentication, key management, and other cryptographic technologies that need public evaluation. Unfortunately, with threats of prosecution, the DMCA will discourage anyone from looking into these technologies.
It may sound Orwellian, but in some cases, a mere statement of fact (a product uses a ROT-13 cipher, which is vulnerable to Caesar cipher attacks) can lead to criminal or civil prosecution.
Experts generally agree that public evaluation aids development of the best cryptographic algorithms and protocols. In many cases, people are encouraged to find vulnerabilities, which need to be identified as early as possible, though not necessarily publicized. Both open standards, and licensed standards used in copyright protection systems, risk falling victim to weaknesses that inevitably become known.
Unfortunately, the DMCA may effectively suppress academic efforts to find weaknesses, leaving criminals to the task.
Assessing the Damage
So how will the DMCA threat affect the future of development? Scott Bradner, an area director in the Transport Area of the IETF, notes, "Our lawyers have cautioned us not to disregard the threat," But he adds, "the likelihood of the IETF being challenged under DMCA is very small...The public image of a copyright holder that sued the IETF for trying to improve Internet security would be badly damaged."
However, I agree with Thomas Hardjono, my fellow co-chair of the Internet Research Task Force DRM Research Group, that IETF standards included in a CPS might invite DMCA scrutiny. Thus, CPS licensing may negatively affect the open standard technologies that a CPS uses, such as AES, naming or identification technology, directories, PKI, and other open standards.
Even technologies that aren't incorporated into a particular CPS may be subject to DMCA prohibitions. For example, a company could construe generic work in altering watermarks as an effort toward circumventing their particular watermark. The same is true for key management or digital object identification, definition, and location technologies.
You can begin to see how the DMCA specter haunts technologies that have no special application to DRM.
Room for Everyone
Open standards have the potential to complement licensed standards, but the DMCA puts them at odds. Both open and licensed approaches are effective ways to develop technology standards, and each has its place. When a patent exists and is exercised, sometimes the only way to get a good technology out to the public is to license it.
4C Entity, the company that produced and now licenses the Content Protection For Recordable Media Specification, has opened its C2 cipher to public review. Licensed technology undoubtedly can provide good solutions, but cumbersome CPSs will make consumer electronics devices more expensive. The DVD Content Scrambling System (CSS) and later CPS technologies, for example, use much shorter keys than 128-bit AES. These keys are often stored on the particular device. Using longer keys does very little to prevent key theft, and the key will come under attack before the cipher.
In a recent incident, an academic group reported that it had broken through High-bandwidth Digital Content Protection (HDCP), the CPS technology for video displays. The attack didn't involve any scientific breakthroughs, but rather application of a known cryptographic principle.
Many critics of copyright protection systems opportunistically argue both that CPSs should not exist, and that particular CPSs (for example, HDCP, or Acrobat) are too weak. Weaknesses generally aren't due to the proprietary nature of the technology, but to various technical trade-offs that apply equally to the use of open standard technology as well.
A particularly weak CPS will fail to "keep honest people honest," which is the main function of technical protection measures. Appropriate inclusion of open standard technologies for encryption, authentication, or key management will eliminate potential weaknesses in a CPS. Open-standard technologies that withstand the scrutiny of the scientific and engineering communities are less vulnerable to surprise attacks and are valuable complements to licensed technologies.
Open standard protocols also excel in their ability to interconnect many types of devices. CPS developers can cheaply and quickly connect a CPS to external devices, such as authorization key servers, and efficiently interconnect CPSs. Open-standard Internet protocols for naming, locating, requesting, and transporting data items are essential to the operation of any device on an Internet Protocol network.
