15 August 2001 (Originally published)

Copyright (c) 2001 Bruce Schneier
Founder and CTO, Counterpane Internet Security, Inc.

In July, after DefCon in Las Vegas, the FBI arrested a Russian computer security researcher who had presented a paper on the strengths and weaknesses of software used to protect electronic books. Dmitry Sklyarov (age 27) landed in jail because the Digital Millennium Copyright Act (DMCA) makes publishing critical research on this technology a more serious offense than publishing nuclear weapon designs. Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech? And How did the entertainment industry end up with stronger laws protecting their content than the information on constructing nuclear weapons?

I've already written about the DMCA, and the ultimate futility of employing technical solutions to prevent digital copying. The specific DMCA provision at work here is the one that explicitly forbids the invention and distribution of "circumvention devices" and "reverse engineering of document protection." Basically, it is illegal to break -- or explain how to break -- technology used to protect digital copyright. If you do, you go to jail (see above).

Technically, the law only protects "effective" copy-protection technology. This is a wonderful piece of circular logic: surely if it has been broken, it wasn't effective. The complaint against Sklyarov sidestepped this problem: "Nevertheless, because the book sold in encrypted form and only accessible through the eBook Reader and is not duplicatable, the copyright holder's interest in the book is protected." But if that were true, then there would no grounds for the case.

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included. But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felten, and this arrest.

What the DMCA has done is create a new controlled technology. In the United States there are several technologies that normal citizens are prohibited from owning: lock picks, fighter aircraft, pharmaceuticals, explosives. (Ignore guns, since the 2nd Amendment makes it impossible to generalize from their example.) In each of these cases, only people with the proper credentials can legally buy and sell these technologies. (Every participant in the commerce of these items -- buying, selling, or even possessing -- must be registered with some governmental agency. Registration is a mandatory requirement for commerce.) The DMCA goes one step further, though. Not only are circumvention tools controlled, but information about them is also controlled. 2600 Magazine merely described, and linked to implementations of, DeCSS. Ed Felten wanted to present a paper on the deficiencies of the RIAA's various watermark schemes.

I attended Dmitry Sklyarov's talk at DefCon. What he did was legitimate security research. He determined the security of several popular e-book reader products and then notified the respective firms of his findings. His company Elcomsoft published, in Russia, software that circumvented these ineffectual security systems. His DefCon talk was a clear and evenhanded presentation of the facts. He said, in effect: "This security is weak, and here's why." (One particular company he mentioned stored the password in plaintext inside the executable. So anyone with Notepad could have the book modified for easy distribution.)

The FBI nabbed him at the request of Adobe Systems, Inc. for breaking the security on Acrobat's E-Reader API, and held him for weeks without bail. (He's currently out on bail.) The arrest was not because of his presentation, but because of the work his company did while in Russia. This is even more confusing. Elcomsoft created and marketed a product that circumvented Adobe's product. This kind of software is often required in Russia, where people have a legal right to make personal backups. Sklyarov was one of the programmers working on this project, which was completed entirely in Russia. The FBI seems to be claiming that they can arrest you for breaking U.S. law while not in the U.S. Additionally, they can arrest you if your company breaks U.S. law while not in the U.S. Computer scientists have long viewed reverse-engineering as legitimate security research. Fair use allows the owner of a copyrighted work to make copies for his personal use. The DMCA assumes that the only reason to do any of this work is to pirate copyrighted works. Writing software, publishing technical details, even giving a technical talk is illegal under the DMCA.

In 1979, "The Progressive" magazine tried to publish an article containing technical information on H-bomb design. The government claimed publication of the would result in "grave, direct, immediate and irreparable harm to the national security of the United States." After six months of legal maneuvering, the magazine published it. In 1971, the government tried to prevent "The New York Times" from publishing "The Pentagon Papers." The Supreme Court promptly voted 6-3 to reject the government's censorship attempt, with Chief Justice Warren Burger declaring that "prior restraints on speech and publication are the most serious and least tolerable infringement on First Amendment rights."

Welcome to 21st century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights or nuclear weapons information. (The more you look at the problem, the weirder it becomes. "The New York Times" has the legal right to publish secret government documents, unless they are protected by a digital copy-protection scheme, in which case publishing them would lead to an FBI raid.)

In many ways, the entertainment industry's tactics are similar to the NSA's during their long war against cryptography and cryptographic information. Until the late 1990s, the NSA used the threat of national security to prevent the dissemination of encryption technologies. When they could, they blocked the publication and dissemination of cryptographic information. When that failed, they concentrated on products, using both legal and illegal methods to block encryption software. Many people believe the NSA's primary rubric, export controls, would not stand up to a constitutional challenge, but it was never tested. It wasn't until the Internet made cryptography ubiquitous that the NSA eventually gave up.

During those years I was often asked about the NSA's strategy. Wasn't it doomed to fail? Yes, eventually. But for the NSA, every day they could delay the failure was another day of victory. Maybe the export control regulations (they were never laws) were unconstitutional. Maybe preventing publication of this and that was prior restraint. Maybe pressuring companies to install back doors into their software was illegal. But if it worked for a while, who cares? The NSA was fighting a holding action, and they knew it.

The entertainment industry is behaving the same way. The DMCA is unconstitutional, but they don't care. Until it's ruled unconstitutional, they've won. The charges against Sklyarov won't stick, but the chilling effect it will have on other researchers will. If they can scare software companies, ISPs, programmers, and T-shirt manufacturers (Hollywood has sued CopyLeft for publishing the DeCSS code on a T-shirt) into submission, they've won for another day. The entertainment industry is fighting a holding action, and fear, uncertainty, and doubt are their weapons. We need to win this, and we need to win it quickly. Please support those who are fighting these cases in the courts: the EFF and others. Every day we don't win is a loss.

To Top

MORE INFO

• "Adobe, Elcomsoft and the DMCA," Crypto-Gram, August 2001 -- a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.

• "The Futility of Digital Copy Prevention," Crypto-Gram, May 2001

• "Protecting Copyright in the Digital World," Crypto-Gram, August 2001

• "Security Systems Standards and Certification Act (SSSCA)," Crypto-Gram, October 2001

• Index of Crypto-Gram newsletters

• Comprehensive Index to coverage of Sklyarov/ElcomSoft v. U.S. criminal case

• 17 U.S.C. 1201. Circumvention of Copyright Protection Systems - from Digital Millennium Copyright Act (DMCA)

• Federal Register: Exemption to Prohibition...Final Rule

• Locking Up Your Rights -- "Can it be illegal to give people the tools to break into their own property? The U.S. government thinks so" by Steven Levy, Newsweeek/MSNBC

• Discuss the case and/or the pertinent issues at the Planet PDF Forum (forum.planetpdf.com)