Bruce Sterling on Sat, 18 Aug 2001 04:43:04 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Europeans, Don't Be American: Part II



Censorship in action:
why I don't publish my HDCP results

Niels Ferguson
August 15, 2001

Summary

I have written a paper detailing security weaknesses in the HDCP content
protection system. I have decided to censor myself and not publish this
paper for fear of prosecution and/or liability under the US DMCA law.

Introduction

My name is Niels Ferguson. I'm a professional cryptographer. My job is to
design, analyse, and attack cryptographic security systems, a bit like a
digital locksmith. I work to make computer systems and the Internet more
secure. You would think that people would be in favour of that, right?

Computer security and cryptography are hard. It is easy to make mistakes,
and one mistake is all it takes to create a weakness. You learn from your
mistakes, but there are too many mistakes to make them all yourself.
That's why we publish. We share our knowledge with others, so that they
don't have to repeat the same mistake. Take a look at
<http://www.macfergus.com/niels/dmca/index.html../pubs/publist.html>my
publications. You will see a mixture of new designs, analyses, and
attacks. This is how we learn and how we improve the state of the art in
computer security.

HDCP

Recently I found the documentation of the
<http://www.digital-cp.com>High-bandwidth Digital Content Protection
(HDCP) system on the internet. HDCP is a cryptographic system developed by
Intel that encrypts video on the DVI bus. The DVI bus is used to connect
digital video cameras and DVD players with digital TVs, etc. The aim of
HDCP is to prevent illegal copying of video contents by encrypting the
signal.

HDCP is fatally flawed. My results show that an experienced IT person can
recover the HDCP master key in about 2 weeks using four computers and 50
HDCP displays. Once you know the master key, you can decrypt any movie,
impersonate any HDCP device, and even create new HDCP devices that will
work with the 'official' ones. This is really, really bad news for a
security system. If this master key is ever published, HDCP will provide
no protection whatsoever. The flaws in HDCP are not hard to find. As I
like to say: "I was just reading it and it broke."

What do you do when you find a result like this? First, you have to write
it down and explain it. Then you publish your paper so that the mistakes
can be fixed, and others can learn from it. That is how all science works.
I wrote a paper on HDCP, but I cannot publish it.

DMCA

There is a US law called the Digital Millennium Copyright Act (DMCA), that
makes it illegal to distribute "circumvention technology", such as systems
that break copyright protection schemes. HDCP is used to protect
copyrights. There are lawyers who claim that a scientific paper like mine
is a circumvention technology within the meaning of the DMCA, because it
explains the weaknesses of a system. I have been advised by a US lawyer
who works in this field that if I publish my paper, I might very well be
prosecuted and/or sued under US law.

This is outrageous.

The risk to me

I travel to the US regularly, both for professional and for personal
reasons. I simply cannot afford to be sued or prosecuted in the US. I
would go bankrupt just paying for my lawyers.

I want to make it quite clear that Intel, who developed the HDCP system,
has not threatened me in any way. But the threat does not come only from
Intel. The US Department of Justice could prosecute me. Any other affected
party, such as a movie studio whose films are protected with HDCP, could
sue me under the DMCA. That is a risk I cannot afford to take.

The simple alternative would be to never travel to the US again. This
would harm me significantly, both professionally and personally. It would
lock me out of many conferences in my field, and keep me away from family
and friends.

It all sounds a bit too far-fetched, right? Who would sue over the
publication of an article? Well, there are very good reasons to believe
that I risk a lawsuit if I publish my paper. A team of researchers led by
Professor Edward Felten was recently threatened with a DMCA-based lawsuit
if they published their own scientific article. The resulting court case
is still pending.

Freedom of speech

We have this little principle called the freedom of speech. It is codified
in the <http://www.hrweb.org/legal/udhr.html>Universal Declaration of
Human Rights, the <http://www.law.emory.edu/FEDERAL/usconst.html>US
Constitution, and Dutch law. The whole point of freedom of speech is to
allow the free circulation of ideas and to let the truth be heard. There
can be no doubt that my paper is protected by the free speech rights.

The DMCA imposes a serious restriction on the freedom of speech. The DMCA
makes it illegal to talk about certain security systems. The equivalent
law for non-digital protection systems would make it illegal to warn
people about a cheap and very weak door lock being installed on their
houses because criminals could also use that same information.

In western society we restrict the freedom of speech only for very serious
reasons, and after careful consideration. For example, it is illegal to
shout "fire" in a crowded theatre, or to ask someone to commit a murder.
The DMCA restricts the freedom of speech because the movie industry is
afraid of losing money. Below I will argue that the DMCA does not achieve
that goal, but that aside: do we really want to sell our freedom of speech
for money?

The DMCA is a scary development. Next time that commercial interests clash
with the freedom of speech, the industry will point to the DMCA and claim
they need equivalent protection. They might outlaw the publication of a
report detailing bad safety features in a car, or of flaws found in a
particular brand of tires. After all, those publications harm industry
too. Where will it stop?

Jurisdiction

The DMCA is a US law. I am a citizen of the Netherlands, and I live and
work in Amsterdam in the Netherlands. Why do I care about the DMCA at all?

The USA is apt to apply its own laws way beyond its own borders. Dmitry
Sklyarov, a Russian programmer, was arrested last month in the US. He is
charged with violating the DMCA while performing his work in Russia as an
employee for a Russian firm. As far as we know, what he did was perfectly
legal in Russia, and in most other countries in the world. He is now out
on bail, but cannot leave northern California until further notice.

Where does this lead to? What if countries start applying their own laws
to the things people do in other countries? Will you be arrested next time
you go abroad? Do you really want to take that holiday in China if you
have more than one child? Are you sure that Germany allows you to have
those links to political pamphlets on your web site? This type of
extraterritorial application of national law violates a basic human right,
because you cannot possibly know which laws apply to you. Imagine living
in a country where the laws are kept secret, and you never know whether
you are violating a law.

Suppose a US citizen works for a firearms manufacturer in the US, making
guns. One of those guns turns up here in Amsterdam and is used to commit a
crime. This person takes a holiday over here in Europe, and is arrested
for violating the Dutch firearms laws because he helped manufacture the
gun in the US. That is what happened to Dmitry. Is that fair? Is that how
we want to run this world?

The principle of applying national laws to anybody that publishes anything
anywhere in the world is terrifying. If we allow this principle to be
used, we will never be free again. You will get a choice. You can decide
to never leave your country for any reason whatsoever. This means you
might not even be able to attend a wedding or funeral of a loved one.
Alternatively, you can restrict all your statements to satisfy the laws of
all the countries you could conceivably travel to. You might as well not
say anything, because it is very hard to find something that is legal in
all jurisdictions. We either lose our right to travel, or our right to
speak and be heard. Which fundamental human right do you want to give up
today?

DMCA does not work

The DMCA is a fundamentally flawed law. It is ineffective, and actually
harmful to the interests it tries to protect. It stops me publishing my
paper now, but someday, someone, somewhere will duplicate my results. This
person might decide to just publish the HDCP master key on the Internet.
Instead of fixing HDCP now before it is deployed on a large scale, the
industry will be confronted with all the expense of building HDCP into
every device, only to have it rendered useless. The DMCA ends up costing
the industry money. No points for guessing who ends up paying for it in
the end.

In the long run, the DMCA will make it much easier to create illegal
copies. Why? If we cannot do research in this area, we will never develop
good copyright protection schemes. We will be stuck with flawed systems
like HDCP, to the delight of the criminals.

The DMCA has been called the Snake Oil Protection Act. When a manufacturer
makes a defective product, you expect them to fix it. Not in this case.
The DMCA protects the manufacturer of a defective product by making it
illegal to show that the product is defective. Who came up with this idea?

Copyright law

Copyright law is a careful balance between the rights of the author and
the public interest. The author gets a limited-time exclusive right to
reproduce his work. The public gets free use of the work once the
copyright expires. Furthermore, the public gets certain "fair use" rights.
These include the right to use short quotes from the work in a review, for
example, and the right to create a parody. If you buy a copy of a
copyrighted work, you also have the right to make an extra copy for your
own use. A student can make a copy of a page in his textbook to mark it up
while he studies.

In a sneaky way the DMCA eliminates all these "fair use" rights of the
public. As long as the work is protected using copyright protection
technology, none of the "fair use" rights can be exercised, because it is
illegal to create or own the tool with which you can exercise your fair
use rights. Copyright expires, but the DMCA ensures that even when it
does, the work still does not enter the public domain. The US supreme
court has held that the "fair use" rights are exactly the safety valve
that prevent the copyright law from violating free speech rights. This
might be another reason why the DMCA is unconstitutional.

In Dmitry's case, he wrote software that decoded encrypted digital books.
His software has many uses. Many digital books only allow the book to be
viewed on the screen. If you are blind and want to read the book on your
braille display you have to use something like Dmitry's software. This is
perfectly legal under the "fair use" rules of copyright law, but the DMCA
forbids it thereby prohibiting blind people from accessing such books.

Why this mess?

Why did the movie industry campaign for the DMCA if it doesn't work? The
movie and record industry have a history of claiming that new technologies
will bankrupt them. When video recorders were first introduced, they swore
that they would go bankrupt if people could record movies. Now they make a
lot of money selling video tapes. Now they swear that they will go
bankrupt if we do not restrict the freedom of speech and the public's fair
use rights. Why should we believe them this time around?

The DMCA exists because the movie and record industry lobbied heavily for
it. It is a very one-sided law that clearly has not been thought through
properly. The industry has managed to eliminate the careful balance of the
copyright law and replace it with a law that effectively gives them an
unlimited monopoly on copyrighted works. Could it just be that this is the
real motive behind their lobby?

Can we fix the DMCA?

Sure. That wouldn't even be very difficult. Making and selling
unauthorised copies of copyrighted works is already illegal in most
jurisdictions. We could change the copyright law to impose stiffer
penalties if the copyright violation involves breaking a copyright
protection scheme. A bit like the difference between trespassing and
breaking and entering. A law like this would achieve exactly what we want:
it would restrict illegal copying of copyrighted works. It would not
restrict the freedom of speech, or do away with our fair use rights.

More information

You can find lots more information about the DMCA and the cases of
Professor Felten and Dmitry Sklyarov on the <http://www.eff.org>EFF web
site.

My
<http://www.macfergus.com/niels/dmca/index.htmlfelten_declaration.html>decla
ration in the Felten court case.

----------
Copyright © 2001 by Niels Ferguson, last update 2001-08-16, comments to
<mailto:niels@ferguson.net>niels@ferguson.net

<http://www.macfergus.com/niels/dmca/index.html../index.html>[home page]





#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net