23 July 2001. Thanks to Declan McCullagh.



*********

[Below is from Bruce Schneier <schneier@counterpane.com> --Declan]

Russian Hacker Arrested

On Monday in Las Vegas, the FBI arrested a Russian computer security researcher, because he presented a paper on the strengths and weaknesses of software used to protect electronic books.  Because of the Digital Millennium Copyright Act (DMCA), which makes publishing critical research on this technology more serious than publishing nuclear weapon design information, Dmitry Sklyarov (age 27) landed in jail.  Just how did the United States of America end up with a law protecting the entertainment industry at the expense of freedom of speech?

I've already written about the DMCA, and the futility of employing technical solutions to prevent digital copying.  The specific DMCA provision at work here is the one which explicitly forbids the invention and distribution of "circumvention devices" and "reverse engineering of document protection."  Basically, it is illegal to break--or show how to break--technology used to protect digital copyright.  If you do, you go to jail (see above).

Technically, the law only protects "effective" copy-protection technology.  This is a wonderful piece of circular logic: surely if is has been broken, then it wasn't effective.  The complaint against Sklyarov sidestepped this problem: "Nevertheless, because the book sold in encrypted form and only accessible through the eBook Reader and is not duplicatable, the copyright holder's interest in the book is protected."  But if that were true, then there would no grounds for the case.

There are also provisions in the DMCA to allow for security research, provisions that I and others fought hard to have included.  But these provisions are being ignored, as we've seen in the DeCSS case against 2600 Magazine, the RIAA case against Ed Felton, and this arrest.

What the DMCA has done is create a new controlled technology.  In the United States there are several technologies that normal citizens are prohibited from owning: lock picks, fighter aircraft, pharmaceuticals, explosives.  (Ignore guns, since the 2nd Amendment makes it impossible to generalize from their example.)  In each of these cases, only people with the proper credentials can legally buy and sell these technologies.  The DMCA goes one step further, though.  Not only are circumvention tools controlled, but information about them are.  2600 Magazine merely described, and linked to implementations of, DeCSS.  Ed Felton  wanted to present a paper on the deficiencies of the RIAA's various watermark schemes.

I attended Dmitry Sklyarov's talk at DefCon.  What he did was legitimate security research.  He determined the security of several popular E-Book reader products and then notified the respective firms of his findings.  His company Elcomsoft published, in Russia, software that circumvented these ineffectual security systems.  His DefCon talk was a clear and evenhanded presentation of the facts.  He said, in effect: "This security is weak, and here's why."  (One particular company he mentioned stored the password in plaintext inside the executable.  So, anyone with Notepad and a few minutes of scrolling could have the book modified for easy distribution.)

The FBI nabbed him at the request of Adobe Systems, Inc. for breaking the security on Acrobat's E-Reader API, and held him without bail.

In 1979, "The Progressive" magazine tried to publish an article containing technical information on H-Bomb design.  The government claimed publication of the would result in "grave, direct, immediate and irreparable harm to the national security of the United States."  After six months of legal maneuvering, they published it.  In 1971, the government tried to prevent "The New York Times" from publishing "The Pentagon Papers."  The Supreme Court promptly voted 6-3 to reject the government's censorship attempt, with chief Justice Warren Burger declaring that "prior restraints on speech and publication are the most serious and least tolerable infringement on First Amendment rights."

Welcome to 21st Century America, where the profits of the major record labels, movie houses, and publishing companies are more important than First Amendment rights.

In many ways, we're seeing the legacy of the NSA's long war against cryptography and cryptographic information.  Until the late 1990s, the NSA the threat of national security to prevent the dissemination of encryption technologies.  When they could, they blocked the publication and dissemination of information.  When that failed, they concentrated on products, using both legal and illegal methods to block encryption software.  Many people believe the NSA's primary rubric, export controls, would not stand up to a constitutional challenge, but it was never tested.  The NSA eventually gave up.

During those debates I was often asked about the NSA's strategy.  Wasn't it doomed?  Yes, it would eventually fail.  But from the NSA's point of view, every day they could delay the failure was a day of victory.  Maybe the Export Control regulations (they were never laws) were unconstitutional.  Maybe preventing publication of this and that was prior restraint.  Maybe pressuring companies to install back doors into their software was illegal.  But if it worked for a while, it was a win.  The NSA was fighting a holding action, and they knew it.

The entertainment industry is behaving in the same way.  The DMCA is unconstitutional, but they don't care.  Until it's ruled unconstitutional, they've won.  The charges against Sklyarov won't stick, but the chilling effect it will have on other researchers will.  The entertainment is fighting a holding action, and fear, uncertainty, and doubt are their weapons.  We need to win this, and we need to win it quickly.  Please support those who are fighting these cases in the courts: the EFF and others.  Every day we don't win is a loss.

Adobe's Technology and Elcomsoft's Products:
<http://www.planetebook.com/mainpage.asp?webpageid=165>
<http://www.elcomsoft.com/aebpr.html>

Government documents:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010717_eff_sklyarov_pr.html>
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010707_complaint.html>

EFF support:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010718_eff_sklyarov_statement.html>

News articles:
<http://www.nytimes.com/2001/07/18/technology/18CRYP.html>
<http://dailynews.yahoo.com/h/nm/20010717/wr/tech_hacker_arrest_dc_1.html>
<http://www.wired.com/news/politics/0,1283,45298,00.html>

Thoughtful analyses:
<http://www.osopinion.com/perl/story/12143.html>
<http://www.securitygeeks.shmoo.com/article.php?story=20010719141720141>

Other DMCA cases:
<http://www.eff.org/IP/DMCA/>

Protecting Copyright in the Digital World

Every time I write about the impossibility of effectively protecting digital files on a general-purpose computer, I get responses from people decrying the death of copyright.  "How will authors and artists get paid for their work," they ask me.  Truth be told, I don't know.  I feel sort of like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked: "How do you expect us to get to the stars, then?"  I'm sorry, but I don't know that, either.

I am a scientist, and I explain the realities of the science.  I apologize if you don't like the truth, but the truth doesn't change because people wish it would be something else.  I don't know how authors and artists will make money in a world of easy copyability.  I'm an author myself, personally concerned about protecting my own copyright, but I don't know.  I can tell you what will and won't work, technically.  You an argue whether my technical analysis is correct, but it just doesn't make sense to bring social arguments into the technical discussion.

If I had to guess, I believe companies will find a way to make money despite the prevalence of digital copying.  When radio was invented, people didn't bemoan the fact that radio signals could be listened to, for free, by any receiver tuned to the proper frequency.  They figured out how to make money some other way.  There are lots of financial models that don't require "selling the each" to make money: advertising, patronage, pay-for-performance, pay-for-timeliness, pay-for-interaction, public funding.  I started Crypto-Gram when I was a consultant; I gave the newsletter away and charged for my time.  The newsletter was free advertising.  The Grateful Dead gave away concert recordings but charged for live performances.  Stephen King kept writing chapters of his book as long as a sufficient percentage of his readers paid him to.

I don't know what model will become the prevalent one in the digital world.  But I do know that technical methods to prevent digital copying are doomed to fail.  (This is not to say that social methods, or legal methods, won't work.)  Those companies that have business models that accept this reality are more likely than those who have business models that reject it.  Whine all you like, but reality is reality.

My original analysis:
<http://www.counterpane.com/crypto-gram-0105.html#3>

*********

"FREE DMITRY" PROTEST
JULY 23 -- WASHINGTON, DC

WHEN: Monday, July 23, 2001, 12 noon

WHERE: FBI headquarters, south side between 9-10th and Pennsylvania Avenue NW

WHO: You, and anyone who cares about the right to code freely

WHY: The FBI arrested a Russian cryptologist, Dmitry Sklyarov, on charges of violating the Digital Millennium Copyright Act last week

CONTACT: David Merrill of the Linux Documentation Project and volunteer organizer (david@lupercalia.net, 202.361.0681 cell)

BACKGROUND AND OTHER PROTESTS:
http://www.boycottadobe.com/
http://www.freedmitry.org/

MAILING LISTS:
http://www.lupercalia.net/pipermail/free-dmitry-dc/2001-July/thread.html
http://zork.net/mailman/listinfo/free-sklyarov

-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------