[ Site Index] [ Linux Index] [ Feedback ]
Editorial note: this draft contains corrections to the original description of the weakness in eBook Pro and Adobe's E-book DRM scheme relative to the original version of the article published in Computer Shopper. The poor encryption of Internet Marketing Center's eBook Pro product was attributed to Adobe in error; Adobe's product is marginally more secure. (This error crept into the press via Linux Weekly News and other leading- edge media reporting on the issue, and I was unable to obtain independent confirmation, or direct access to the Sklyarov paper, at press time back in early July.)
Warning: do not photocopy this article, visit the United States, and show the photocopy to a customs officer. If a criminal case working its way through the Californian court system results in a guilty verdict and sets a precedent, doing so will get you into seriously hot water, to the tune of a $50,000 fine and five years in a federal prison. No, there's nothing in this article which is illegal.
Posession of a photocopy of this article is not illegal in the UK -- yet. But a draconian new piece of legislation passed on the nod by US Congress in 1999 is threatening to overturn a centuries-old common law doctrine called "fair use", and in the process, turn us all into criminals. Worse: the large companies who lobbied for this law have nobbled the international trade organisations and are trying to export this law by international treaties: a draft directive based on it has already been rubber-stamped by the European Commission. And under new interpretations of US law, you aren't safe from extradition and prosecution even if you engaged in activities which are perfectly legal at home -- as Dmitri Sklyarov, a Russian programmer who has never knowingly broken a law in his life, is discovering the hard way.
This mess is new; it's emerging from the inevitable collision of the internet and copyright law. What's new is the pervasive lobbying of big companies (film, music, and software businesses in particular) who want to clamp down on reverse engineering of file formats, even when it's hitherto been perfectly legal. It has implications for everyone who uses a computer -- and some of them are unexpected.
The Sklyarov case
Meet Dmitry Sklyarov. He's twenty-six, married, two children, a whizz kid programmer and a respectable cryptographer. One of the success stories of the Russian computer industry, Dmitry lives in Moscow and works part-time for a company called Elcom, while pursuing postgraduate research in computer science. He probably earns a couple of hundred dollars a month.
Meet Adobe Corporation. Adobe is the five hundred pound gorilla in the world of computer typesetting -- they're the people who get a royalty whenever you buy a Postscript printer, they're the people who sell software such as Acrobat, Illustrator, Photoshop, Pagemaker, and InDesign. They probably earn a couple of billion dollars a year.
There's been a lot of hot air recently about e-books -- books that are distributed in electronic form for reading on a handheld device or PC. While some companies successfully distribute books in unencrypted formats, many publishers are fearful of the possibility of books being copied willy-nilly over the internet. Consequently, the usual snake oil is being peddled; in this case technologies for what the business calls Digital Rights Management which are incapable of doing the job they're sold for. DRM is essentially software-only copy protection, and Adobe's E-book software is basically a DRM-enabled version of their familiar Acrobat portable document format generator, aimed at a market consisting of nervous publishers.
Historically speaking, if you bought a book on paper you are entitled to do anything you please with it except copy it and sell the copies. You're allowed to sell it second-hand, to copy it for personal use, or -- within limits -- to copy extracts from it for study. You're allowed to lend it to someone else to read. (If you didn't have this right, public libraries would be in trouble.) But in the stampede towards DRM-controlled ebooks, these basic rights go out the window -- along with related rights, such as the right to record a TV program and view it at some other time. If you buy an Adobe ebook you don't have the right to copy bits of it to your operating system's clipboard, or print it, or loan it to somebody else. It is locked up solid -- at least, that's the theory. Some of this stuff is real snake oil. eBook Pro, from the rather dubious-sounding "Internet Marketing Center", claims to be "the only software in the universe that makes your information virtually 100% burglarproof! comes with a lifetime money back guarantee. At last you can sell information online without the danger of having your information stolen and resold by others!" (If you believe this claim, read on ...)
Back to Sklyarov. Elcomsoft, the company he works for, wanted to create a product to crack the Adobe e-book encryption. There are legitimate reasons for doing this: a visually handicapped reader might need to cut-and-paste text to feed it to a speech synthesizer, for example, or a teacher -- in accordance with the law on "fair use", or "fair dealing" as it's termed in UK law -- might want to copy a paragraph or three for a class text. What Sklyarov found, to his surprise, was that the encryption Adobe used was pretty poor; 40-bit RSA, vulnerable to cracking in very short periods of time using contemporary hardware. Some of the other DRM packages were even worse, using encryption that could have come off the back of a cereal packet. For example, take eBook Pro: first, the HTML pages and graphics files are compressed using the standard free Zlib compression algorithm. Then, the compressed files are XOR'd byte-by-byte with each byte of the string "encrypted". You could break this tenuous scheme with pencil and paper.
With the Elcomsoft software on sale from their Moscow-based website, Sklyarov flew to DefCon in Las Vegas to deliver a paper on the encryption techniques used by ebook security firms -- exposing several of them (Adobe included) as expensive snake oil. But Adobe took exception to his speech -- and told Federal prosecutors that, in reverse-engineering their encryption scheme for purposes of making an end-run around a copy protection system, Sklyarov had unwittingly violated Section 1201 of the Digital Millennium Copyright Act.
The Feds arrested Sklyarov on the spot. Under public pressure, Adobe distanced themselves from the incident, but it was already in the hands of the federal prosecutors, and on August 20th arraigned him before a grand jury to face five felony charges -- conspiracy (with Elcomsoft) to violate the DMCA, and additional charges of reverse-engineering a copy protection system. If guilty, he faces fines of up to $2 million and 25 years in prison, for carrying out programming activities which are perfectly legal in his home country -- simply because Adobe found him embarrassing.
What's wrong with copyright law?
If we're not lucky, the Sklyarov case -- or something very like it -- could happen here. It throws into sharp relief a conflict over copyright that has been brewing for the past decade, incubated by a World Trade Organisation agreement designed to pave the way for global trade in intellectual property, and which is now being used as a lever for the introduction of draconian punishments for hitherto legal behaviour all around the world. It's the conflict between digital data -- which is inherently easy to copy -- and the big corporate interests that make their money by selling access to digital data. And far from having the public's best interests at heart, the big copyright holders are making a bid for power unprecedented since the industrial revolution.
The key weapon in their power grab: copy protection software.
Harvard law professor Lawrence Lessig opines: "copyright law is balanced." And he's broadly right. Copyright law gives an author the right to take someone who makes unauthorised copies of their work to court -- but it gives the purchaser certain rights, too, and doesn't give the copyright owner any right to dictate what they can do with a work once they've bought it. But wrapping data -- be it music or books -- up in software changes the playing field. "There's nothing to guarantee that code protecting copyrighted material will be balanced as well," says Lessig -- no guarantee that the blind will be allowed to feed the ebook they've just bought to their speech synthesizer or braile printer. "Quite quickly the debate about copyright in cyberspace moved to the question: What of the balance of copyright when code, rather than law, is the protector? How do we assure access and fair use when it is a program, not a judge, which decides who gets access when?"
And the big corporate interests lobbied for -- and got -- preferential treatment of copy protection software. In the United States, the DMCA makes it a federal crime to try and work around copy protection software: the reader's rights are restricted to whatever the software permits, not by the limits of copyright law. Worse: the DMCA is one of a family of laws being pushed forward around the world. The European Commission has just passed the European Union Copyright Directive (EUCD), which contains clauses alarmingly similar to the DMCA. The Free Trade Area of the Americas is pushing DMCA-like laws on all American countries. And the World Trade Organisation is trying to harmonise copyright law in a manner that abolishes traditional "fair use" rights.
How did we get into this mess? What does it mean for our future? And can we escape?
The finest laws money can buy
The Digital Millennium Copyright Act didn't spring fully-formed from the fevered brain of an idealistic congressman. To trace its roots we need to look at the World Trade Organisation; a body that attempts to set the ground rules for global free trade. In the early 1990's, the WTO was debating the issue of copyright. Traditionally, US copyright laws differed from those of European states. Furthermore, some other countries (notably the People's Republic of China) had no effective copyright laws. A committee working under the auspices of the WTO and the UN, the World Intellectual Property Organisation, set out to draft a global standard for copyrights and patents. The WTO is the body responsible for GATT and TRIPS, the legal keystones of the global free trade infrastructure.
WIPO was a UN committee populated by the great and the good -- primarily diplomats and politicians and corporate leaders. In retrospect it's not surprising that the document they came up with, the World Intellectual Property Organization Copyright Treaty and Performances and Phonograms Treaty, disproportionately reflected the interest of large organisations. Some of the meat in the WIPO treaty is unarguably a good thing; for example, a copyright recognized in one signatory country is recognized in all. But other aspects are bad. For example, the Right of Reproduction was drafted in such a way that it controls "direct or indirect reproduction [ ... ] whether permanent or temporary, in any manner or form". This arguably extends copyright cover to data stored in a cache on the internet, or in your computer's memory. This particular clause was nobbled at the last minute by a coalition of telecoms companies, ISPs, and free-speech advocates -- but other defects remain. For example, the 1996 treaty didn't make any mention of "Fair Use" -- the doctrine under which libraries and educational users are permitted to make limited copies or quote from copyrighted works in other works.
In other treaties WIPO has prepared -- such as the draft 1997 treaty on Database copyrights -- they've shown a marked bias towards extending the scope of intellectual property protection, encroaching on the informational commons. The Electronic Frontier Foundation summed up the database treaties defects: "making facts rather than expressions copyrightable; making non-creative assemblages of obvious information copyrightable; encouragement of monopolism; undermining of the public's fair use rights to government information maintained by contractors; vagueness in definitions to the extent that "database" can mean almost anything; providing for the copyright of even minute amounts of information in a database; establishing essentially infinite-duration copyright by allowing a minor change to a "database" to reset the period of copyright coverage; attempting to hold online system operators liable for the actions of users beyond their control; and finally prohibiting necessary reverse engineering, cryptanalysis and software recovery by greatly over-broad criminalization of tools to perform these tasks if they can also conceivably be used for copyright infringement."
But the database treaty, like the previous copyright treaty, was passed anyway -- and the sting is in the tail of that final summing-up by the EFF.
In the United States, two laws were passed as a result of these treaties: the Database Investment and Intellectual Property Antipiracy Act of 1996 (H.R. 3531), and the better-known (and infamous) Digital Millennium Copyright Act of 2000 (H.R. 2180). While the DIIPA Act implemented chunks of the Database treaty, it was the DMCA that really brought down the hammer on civil liberties in a big way.
The DMCA was put forward by congressman Howard Coble, chair of the House Judiciary Committee. Actually, it had its roots in an earlier proposed law, H.R. 2281 "WIPO Copyright Treaties Implementation Act" -- but this was merged with a bundle of other amendments under Coble's guidance. Coble is a lawyer; prior to election he worked as an attorney, and since then he's specialised in intellectual property laws -- passing them, that is, on behalf of his corporate clients. For example, take Mickey Mouse.
Originally the term of copyright in the US Was set at 14 years, plus one 14-year renewal. This has progressively been increased; Disney Corporation has no desire to set the Mouse free. So in 1995 Disney went to Congress to get the copyright term extended again, this time to 95 years. "The Disney Political Action Committee (PAC) lined up Republican and Democratic co-sponsors on the two Judiciary Committees and rewarded them with direct campaign contributions. Disney PAC cash contributions totalled $95,805 to Democratic Members of Congress and $53,807 to Republican Members, in addition to in-kind contributions," says conservative political columnist Phylis Schlafly; Howard Coble received the largest donation. It wasn't just Disney Corp who opened their cheque book; the Motion Picture Association handed out the money, too. In return, the congressional and senate judiciary committees made damn sure that the copyright extension bill wasn't debated in public by the house or in front of public committee hearings. It passed on the nod in 1998.
(For details see Schlafly's column in question.)
In point of fact, Howard Coble was in the pocket of the copyright industry. During the 1996 election, less than 25% of the donations his campaign received came from constituents; most of his funding came from large corporations, including hefty donations from law firms and associations ($37,850) and TV/Film/Music publishers ($21,450). You can find the details for that election here and you can find a chart of his current campaign contributions at opensecrets.org ... from a British political perspective it's an eye-opener to see that the election campaign for the chairman of the main US political committee responsible for copyright law is funded by organisations like the Association of Trial Lawyers of America, ASCAP (a music rights licensing body), and other large organisations. It's probably not an exaggeration to say that in comparison with Howard Coble, Neil Hamilton, Jeffrey Archer, or Jonathan Aitken are all paragons of virtue.
The general pattern of legislation is this:
First, large corporations lobby international treaty organisations such as the WTO or WIPO whenever they discuss issues that impinge on their rights. (Mere private citizens don't get a look in at this stage, because lobbying an international inter-governmental committee is an expensive business involving lots of travel and expense-account lunches.) A treaty is drafted and the main interests represented at the lobbying stage have their say.
Once the treaty is signed, signatory governments have to go and implement it in law. At this point, the Howard Cobles of our world step in and prepare rent-a-law bills that are steered quietly and efficiently through closed committees until the final vote is sprung. They might tack on some additional clauses to suit their sponsors, but in general the goal is to efficiently bring the signatory state into compliance with the treaty -- which, because it's an international treaty and has been signed, is virtually impossible to protest against at this stage.
Finally we get to see what the lobbyists have prepared for us, and it isn't very nice.
The unspeakable in pursuit of the inedible
Huntingdon Life Sciences should need no introduction to British readers. HLS is a biosciences company that conducts animal experimentation on behalf of other pharmaceutical companies. This experimentation is mostly required by law before the Medicines Division of the CSM will countenance human trials on new drugs; it's intended to demonstrate whether or not the experimental substances are likely to prove harmful.
HLS is no stranger to controversy. The company's Certificate of Designation was suspended in 1997 during an investigation over alleged animal cruelty and violations of the conditions (variously) of the Protection of Animals Act 1911 and Animals (Scientific Procedures) Act 1986; the investigation led to the prosecution of two members of staff on animal cruelty charges. HLS has also been investigated on other occasions.
In response to what they perceived as harrassment by animal rights protestors, HLS turned to the law as a weapon. In the USA, one of the weapons in their arsenal is the DMCA.
EnviroLink Network is a Pittsburgh-based non-prift ISP; they run roughly 500 websites for environmental and animal rights lobbyists. On August 30th, they received a letter from Huntingdon Life Sciences. Citing the DMCA, HLS accused activists responsible for the website BankofNYkills.com of violating HLS's copyright. That website is directed at producing a US consumer boycott of the Bank of New York, which extends financial services to HLS. It's also extremely critical of the company.
The small print of the DMCA introduced some ominous language directed at forcing small internet publishers into obedience. If an ISP receives a complaint that a website violates the complainant's copyright, they are in legal jeopardy if they do not shut the site down immediately. The owner of the site has to provide a counter-notification swearing under penalty of perjury that there is no copyright violation; the ISP can then reactive the site without being held liable for a copyright infringement (if the declaration is later proven to be false). However, the DMCA provides that ten working days must elapse after the counter-declaration is delivered before the website can be reactivated, to give the complainant time to prepare a legal case if they intend to pursue the website through the courts. Thus, by making a simple complaint a company can shut down any web site it chooses, for a period of ten days, with no come-backs.
The DMCA permits the legal equivalent of a denial of service attack against a website. Worse: just because you're in the UK, it does not follow that you are safe. US courts -- in particular, the Californian and New York courts -- hold that an offense may be committed where the web page is based or where a user sees it; a US company can in principle hit a British ISP with one of these orders, and if they fail to shut down a British website that ISP may be accused of conspiracy in a criminal case of copyright violation in the US -- an extraditable offense. Indeed, the Council of Europe draft Cybercrime Treaty may make copyright offenses in general extraditable without "dual criminality" -- that is, even if it's legal at home, you may still be extradited for it to stand trial under a foreign law.
As for British law, that's even worse! Since the "Godfrey v. Demon" lawsuit of 2000, any British internet service provider will pull anything if you send them a lawyer's letter; the judgement in that case ruled that the ISP was acting as a publisher, so an allegation of copyright violation could well imply that the ISP is guilty of complicity in a criminal offense.
Which brings us neatly back to poor Dmitry, currently on bail in California but facing up to 25 years in the federal slammer for explaining that Adobe's e-book encryption was nothing of the kind.
The DMCA explicitly forbids reverse-engineering or otherwise circumventing a copy protection mechanism -- an implementation of the WIPO database treaty. And the US courts claim jurisdiction wherever a US citizen or company is affected. Elcomsoft, by selling software over the web to Americans, may well have violated the DMCA. (Their planned defense, that the clause of the DMCA in question violates the First Amendment guaranteeing freedom of speech, doesn't argue the facts: it argues the law.)
Nor is Dmitry Sklyarov the only person affected by the DMCA in this way. The list is enormous; he just happens to be the immediate victim with most at stake.
Professor Edward Felten is currently locked in a lawsuit against the Recording Industry Association of America (RIAA) over the DMCA. In 1999, the RIAA announced the Secure Digital Music Initiative, a project to build copy-protected digital audio formats that could safely be distributed over the net without them being susceptible to copying. To prove the worth of their file formats, they announced a competition and a prize: $15,000 to anyone who could crack them.
Felten was intrigued by the premise, so he and his team of graduate students entered. But when they read the small print they realised that the RIAA would end up owning the details of any successful crack -- so, having proven to their own satisfaction that SDMI was a crock and could easily be defeated, they announced that this was the case, but refrained from entering the second phase of the contest.
When Felten announced his intention of publishing a paper explaining the deficiencies in SDMI, he was startled to receive a letter from the RIAA threatening that discussing his work at an academic conference "could subject you and your research team to actions under the Digital Millennium Copyright Act."
The RIAA is now insisting that this was an honest misunderstanding and they never intended to prosecute professor Felten. This follows a large volume of adverse publicity, the EFF's public offering of legal advice to the professor, and the filing of Felten's counter-suit, alleging that RIAA attempted to deprive him of his first amendment right to free speech. Go figure.
What's clear is that the DMCA has collided messily with the right to free speech in the USA. Developing software has, for the first time, been defined as a criminal offense, based loosely on the software being "usable" as a tool for circumventing restrictions on copying developed by some other party. This is draconian and over-broad; writing any kind of tool that can copy files is a potential violation of the act.
Recently, an anonymous hacker claims to have broken the encryption on Microsoft's e-book format -- but refuses to identify themselves (or publish) for fear of prosecution. Linux development team leader Alan Cox, second only to Linus Torvalds in responsibility for the future of the operating system, has resigned from the committee of USENIX, the US-based technical association. "With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States," says Cox. "Who will be the next conference speaker slammed into a US jail for years for committing no crime?"
Meanwhile, cryptographer Bruce Schneier has some interesting insights into the broader impact of the law: "what the DMCA has done is create a new controlled technology. In the United States there are several technologies that normal citizens are prohibited from owning: lock picks, fighter aircraft, pharmaceuticals, explosives. In each of these cases, only people with the proper credentials can legally buy and sell these technologies. The DMCA goes one step further, though. Not only are circumvention tools controlled, but information about them is also controlled. ... Welcome to 21st century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights or nuclear weapons information. The more you look at the problem, the weirder it becomes. "The New York Times" has the legal right to publish secret government documents, unless they are protected by a digital copy-protection scheme, in which case publishing them would lead to an FBI raid."
It gets worse
The DMCA is bad enough, but the latest emanation from Congress would be funny if it wasn't so evil.
The Security Systems Standards and Certification Act (SSSCA) is a bill being put forward by Senator Fritz Hollings, chairman of the Senate Commerce committee. The SSSCA requires all manufacturers of digital interactive devices (not just computers!) to embed anti-copying controls in them. "All types of digital content, including music, video and e-books, are covered," reports Declan McCullagh of Wired News; under the act "it would be a civil offense to create or sell any kind of computer equipment that 'does not include and utilize certified security technologies' approved by the federal government." The act would also make it a crime (five years in prison or $500,000 fine -- remember, the average rapist serves five and a half years in prison in the USA) for distributing copyright material with 'security measures' disabled, or attaches a computer to any network with copy protection disabled.
The SSSCA hasn't been debated or passed yet, but entertainment industry lobbyists are in favour of it; representatives of Walt Disney Company and Rupert Murdoch's News Corporation were defending it in public in September, days after it was leaked to the press. (Like the DMCA, this act was sneaked in on the side, not trumpeted in public.) "This is an exceedingly moderate and reasonable approach," said Preston Padden, executive vice president of the Walt Disney Company, which helped to draft the bill. And the rhetoric associated with it is increasingly wild: Judith Platt, spokeswoman for the Association of American Publishers said: "They've got their radical factions, like the Ruby Ridge or Waco types", while describing "a very radical view ... that all computer code is protected speech under the First Amendment and that no one--neither a publisher nor an author, nor anyone else-should be able to encrypt copyrighted material to protect it from unauthorized use and reproduction".
So there it is. If you aren't in favour of digital rights management -- whatever your reason, be it wanting to tape a TV program to watch later, or copy a book you bought to read on your palmtop instead of your PC -- you are a terrorist whacko and an extremist; and Senator Hollings is hoping to introduce legislation to make you pay for your crimes.
Home front: the EUCD and Andrew Miller's copyright bill
If all this was simply an American abberation you could be forgiven for yawning and asking "so what?"
Only it isn't. It's coming over here, and you're going to be on the receiving end unless you start writing to your MPs and MEPs right now.
Just as the US Congress implemented the WIPO treaties in law by passing new copyright bills, the European Commission has issued a declaration -- the European Union Copyright Declaration -- that implements these onerous treaty terms. This went through on the nod this summer; you can find the grisly details, care of Eurorights. As Eurorights point out, "Article 6 of the directive is the most important, and most debated, one. Note that a technical protection measure is protected by law even if it contains other restrictions in addition to preventing copyright infringement. This means that technical measures that enforce DVD region locks or deny the act of giving or lending a book is protected by law."
This is the exact same type of measure that's given rise to the DMCA's chilling effect on free speech: the protection of technical protection measures. As Harvard law professor Lawrence Lessig puts it, "The DMCA outlaws technologies designed to circumvent other technologies that protect copyrighted material. It is law protecting software code protecting copyright. The trouble, however, is that technologies that protect copyrighted material are never as subtle as the law of copyright. Copyright law permits fair use of copyrighted material; technologies that protect copyrighted material need not. Copyright law protects for a limited time; technologies have no such limit. Thus, when the DMCA protects technology that in turn protects copyrighted material, it often protects much more broadly than copyright law does. It makes criminal what copyright law would forgive."
It's the responsibility of member governments to implement the EUCD in law as soon as possible -- complete with clauses that hand power over what you can do with an e-book or music download to the authors of the copy protection software, and make it a crime to circumvent, or talk about circumventing, even the most brain dead encryption techniques. If passed into UK law, the EUCD will make it a crime to "chip" your DVD player so that you can watch movies you purchased abroad. Watching them is not illegal -- but circumventing the mechanism that restricts access to them is an offense. Moreover, anyone who feels like it can shut down your website by alleging copyright violation -- and if the DMCA is a precedent, you won't be able to put it up again for two weeks, even if no such violation has occured.
In case a forthcoming copyright bill in the UK isn't enough to worry you, we have home-grown bad ideas to share with the rest of the world. Andrew Miller, MP for Ellesmere Port and Neston, is keenly interested in teleworking and new technology. That's why he put forward a private member's bill in 2001 that tried to slap a ten year prison sentence on illegal copying of software.
Miller's bill jacks up the penalty for copyright violation from two years to ten, and adds penalties for posession of "articles specifically designed or adapted for making copies of a particular copyright work". Copying a CD could get you a longer prison sentence than most armed robbers or rapists. The bill was dropped because of the impending election, but it may yet be reintroduced: details at the Stationary Office.
So what can you do?
The answer isn't simple. If you're concerned about your rights being eaten away -- be they the right of a teacher to photocopy a couple of pages of a textbook to hand out in class, or your right to watch a foreign DVD or make a tape copy of a CD you bought to play in your walkman, or the general right to speak freely about encryption technologies -- then you should keep an eye on what your legislators are doing. Think about joining the Campaign for Digital Rights (http://uk.eurorights.org). Write to your MP if you hear about a piece of proposed legislation that worries you. Keep an eye on the British clearinghouses for information on these issues -- places such as the Foundation for Information Policy Research or Privacy International.
If you write just one letter you'll have done more than 99% of your fellow citizens. And you may have helped hang onto your rights in the face of a global onslaught on the informational commons, masterminded by corporate lobbyists and fought in the boardrooms of international treaty organisations.
[ Site Index] [ Linux Index] [ Feedback ]