Bruce Sterling on Sat, 18 Aug 2001 04:43:04 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
<nettime> Europeans, Don't Be American: Part II |
Censorship in action: why I don't publish my HDCP results Niels Ferguson August 15, 2001 Summary I have written a paper detailing security weaknesses in the HDCP content protection system. I have decided to censor myself and not publish this paper for fear of prosecution and/or liability under the US DMCA law. Introduction My name is Niels Ferguson. I'm a professional cryptographer. My job is to design, analyse, and attack cryptographic security systems, a bit like a digital locksmith. I work to make computer systems and the Internet more secure. You would think that people would be in favour of that, right? Computer security and cryptography are hard. It is easy to make mistakes, and one mistake is all it takes to create a weakness. You learn from your mistakes, but there are too many mistakes to make them all yourself. That's why we publish. We share our knowledge with others, so that they don't have to repeat the same mistake. Take a look at <http://www.macfergus.com/niels/dmca/index.html../pubs/publist.html>my publications. You will see a mixture of new designs, analyses, and attacks. This is how we learn and how we improve the state of the art in computer security. HDCP Recently I found the documentation of the <http://www.digital-cp.com>High-bandwidth Digital Content Protection (HDCP) system on the internet. HDCP is a cryptographic system developed by Intel that encrypts video on the DVI bus. The DVI bus is used to connect digital video cameras and DVD players with digital TVs, etc. The aim of HDCP is to prevent illegal copying of video contents by encrypting the signal. HDCP is fatally flawed. My results show that an experienced IT person can recover the HDCP master key in about 2 weeks using four computers and 50 HDCP displays. Once you know the master key, you can decrypt any movie, impersonate any HDCP device, and even create new HDCP devices that will work with the 'official' ones. This is really, really bad news for a security system. If this master key is ever published, HDCP will provide no protection whatsoever. The flaws in HDCP are not hard to find. As I like to say: "I was just reading it and it broke." What do you do when you find a result like this? First, you have to write it down and explain it. Then you publish your paper so that the mistakes can be fixed, and others can learn from it. That is how all science works. I wrote a paper on HDCP, but I cannot publish it. DMCA There is a US law called the Digital Millennium Copyright Act (DMCA), that makes it illegal to distribute "circumvention technology", such as systems that break copyright protection schemes. HDCP is used to protect copyrights. There are lawyers who claim that a scientific paper like mine is a circumvention technology within the meaning of the DMCA, because it explains the weaknesses of a system. I have been advised by a US lawyer who works in this field that if I publish my paper, I might very well be prosecuted and/or sued under US law. This is outrageous. The risk to me I travel to the US regularly, both for professional and for personal reasons. I simply cannot afford to be sued or prosecuted in the US. I would go bankrupt just paying for my lawyers. I want to make it quite clear that Intel, who developed the HDCP system, has not threatened me in any way. But the threat does not come only from Intel. The US Department of Justice could prosecute me. Any other affected party, such as a movie studio whose films are protected with HDCP, could sue me under the DMCA. That is a risk I cannot afford to take. The simple alternative would be to never travel to the US again. This would harm me significantly, both professionally and personally. It would lock me out of many conferences in my field, and keep me away from family and friends. It all sounds a bit too far-fetched, right? Who would sue over the publication of an article? Well, there are very good reasons to believe that I risk a lawsuit if I publish my paper. A team of researchers led by Professor Edward Felten was recently threatened with a DMCA-based lawsuit if they published their own scientific article. The resulting court case is still pending. Freedom of speech We have this little principle called the freedom of speech. It is codified in the <http://www.hrweb.org/legal/udhr.html>Universal Declaration of Human Rights, the <http://www.law.emory.edu/FEDERAL/usconst.html>US Constitution, and Dutch law. The whole point of freedom of speech is to allow the free circulation of ideas and to let the truth be heard. There can be no doubt that my paper is protected by the free speech rights. The DMCA imposes a serious restriction on the freedom of speech. The DMCA makes it illegal to talk about certain security systems. The equivalent law for non-digital protection systems would make it illegal to warn people about a cheap and very weak door lock being installed on their houses because criminals could also use that same information. In western society we restrict the freedom of speech only for very serious reasons, and after careful consideration. For example, it is illegal to shout "fire" in a crowded theatre, or to ask someone to commit a murder. The DMCA restricts the freedom of speech because the movie industry is afraid of losing money. Below I will argue that the DMCA does not achieve that goal, but that aside: do we really want to sell our freedom of speech for money? The DMCA is a scary development. Next time that commercial interests clash with the freedom of speech, the industry will point to the DMCA and claim they need equivalent protection. They might outlaw the publication of a report detailing bad safety features in a car, or of flaws found in a particular brand of tires. After all, those publications harm industry too. Where will it stop? Jurisdiction The DMCA is a US law. I am a citizen of the Netherlands, and I live and work in Amsterdam in the Netherlands. Why do I care about the DMCA at all? The USA is apt to apply its own laws way beyond its own borders. Dmitry Sklyarov, a Russian programmer, was arrested last month in the US. He is charged with violating the DMCA while performing his work in Russia as an employee for a Russian firm. As far as we know, what he did was perfectly legal in Russia, and in most other countries in the world. He is now out on bail, but cannot leave northern California until further notice. Where does this lead to? What if countries start applying their own laws to the things people do in other countries? Will you be arrested next time you go abroad? Do you really want to take that holiday in China if you have more than one child? Are you sure that Germany allows you to have those links to political pamphlets on your web site? This type of extraterritorial application of national law violates a basic human right, because you cannot possibly know which laws apply to you. Imagine living in a country where the laws are kept secret, and you never know whether you are violating a law. Suppose a US citizen works for a firearms manufacturer in the US, making guns. One of those guns turns up here in Amsterdam and is used to commit a crime. This person takes a holiday over here in Europe, and is arrested for violating the Dutch firearms laws because he helped manufacture the gun in the US. That is what happened to Dmitry. Is that fair? Is that how we want to run this world? The principle of applying national laws to anybody that publishes anything anywhere in the world is terrifying. If we allow this principle to be used, we will never be free again. You will get a choice. You can decide to never leave your country for any reason whatsoever. This means you might not even be able to attend a wedding or funeral of a loved one. Alternatively, you can restrict all your statements to satisfy the laws of all the countries you could conceivably travel to. You might as well not say anything, because it is very hard to find something that is legal in all jurisdictions. We either lose our right to travel, or our right to speak and be heard. Which fundamental human right do you want to give up today? DMCA does not work The DMCA is a fundamentally flawed law. It is ineffective, and actually harmful to the interests it tries to protect. It stops me publishing my paper now, but someday, someone, somewhere will duplicate my results. This person might decide to just publish the HDCP master key on the Internet. Instead of fixing HDCP now before it is deployed on a large scale, the industry will be confronted with all the expense of building HDCP into every device, only to have it rendered useless. The DMCA ends up costing the industry money. No points for guessing who ends up paying for it in the end. In the long run, the DMCA will make it much easier to create illegal copies. Why? If we cannot do research in this area, we will never develop good copyright protection schemes. We will be stuck with flawed systems like HDCP, to the delight of the criminals. The DMCA has been called the Snake Oil Protection Act. When a manufacturer makes a defective product, you expect them to fix it. Not in this case. The DMCA protects the manufacturer of a defective product by making it illegal to show that the product is defective. Who came up with this idea? Copyright law Copyright law is a careful balance between the rights of the author and the public interest. The author gets a limited-time exclusive right to reproduce his work. The public gets free use of the work once the copyright expires. Furthermore, the public gets certain "fair use" rights. These include the right to use short quotes from the work in a review, for example, and the right to create a parody. If you buy a copy of a copyrighted work, you also have the right to make an extra copy for your own use. A student can make a copy of a page in his textbook to mark it up while he studies. In a sneaky way the DMCA eliminates all these "fair use" rights of the public. As long as the work is protected using copyright protection technology, none of the "fair use" rights can be exercised, because it is illegal to create or own the tool with which you can exercise your fair use rights. Copyright expires, but the DMCA ensures that even when it does, the work still does not enter the public domain. The US supreme court has held that the "fair use" rights are exactly the safety valve that prevent the copyright law from violating free speech rights. This might be another reason why the DMCA is unconstitutional. In Dmitry's case, he wrote software that decoded encrypted digital books. His software has many uses. Many digital books only allow the book to be viewed on the screen. If you are blind and want to read the book on your braille display you have to use something like Dmitry's software. This is perfectly legal under the "fair use" rules of copyright law, but the DMCA forbids it thereby prohibiting blind people from accessing such books. Why this mess? Why did the movie industry campaign for the DMCA if it doesn't work? The movie and record industry have a history of claiming that new technologies will bankrupt them. When video recorders were first introduced, they swore that they would go bankrupt if people could record movies. Now they make a lot of money selling video tapes. Now they swear that they will go bankrupt if we do not restrict the freedom of speech and the public's fair use rights. Why should we believe them this time around? The DMCA exists because the movie and record industry lobbied heavily for it. It is a very one-sided law that clearly has not been thought through properly. The industry has managed to eliminate the careful balance of the copyright law and replace it with a law that effectively gives them an unlimited monopoly on copyrighted works. Could it just be that this is the real motive behind their lobby? Can we fix the DMCA? Sure. That wouldn't even be very difficult. Making and selling unauthorised copies of copyrighted works is already illegal in most jurisdictions. We could change the copyright law to impose stiffer penalties if the copyright violation involves breaking a copyright protection scheme. A bit like the difference between trespassing and breaking and entering. A law like this would achieve exactly what we want: it would restrict illegal copying of copyrighted works. It would not restrict the freedom of speech, or do away with our fair use rights. More information You can find lots more information about the DMCA and the cases of Professor Felten and Dmitry Sklyarov on the <http://www.eff.org>EFF web site. My <http://www.macfergus.com/niels/dmca/index.htmlfelten_declaration.html>decla ration in the Felten court case. ---------- Copyright © 2001 by Niels Ferguson, last update 2001-08-16, comments to <mailto:niels@ferguson.net>niels@ferguson.net <http://www.macfergus.com/niels/dmca/index.html../index.html>[home page] # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body # archive: http://www.nettime.org contact: nettime@bbs.thing.net