Section 1201 Specifics

The RIAA and the SDMI threatened to sue Felten et al. for breaching the anti-circumvention provisions of the DMCA.  The DMCA, representing “the most comprehensive reform of United States copyright law in a generation” [5], was signed into law in 1998.  The anti-circumvention provisions as specified in Section 1201, which concerns the circumvention of copyright protection systems, fair use in a digital environment, and Internet service provider liability [5], did not come into effect until October of 2000.  Section 1201 of the DMCA “criminalizes technologies and technological devices that can be used to circumvent ‘a technological measure that effectively controls access to a [copyrighted] work’” [20].  As part of an additional violation of the anti-circumvention provisions of the DMCA, Section 1201 also states, "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that . . .”.  While it seems that the RIAA and SDMI interpreted “offer to the public, provide, or otherwise traffic in” to include presenting talks and publishing papers as evidenced by their threatening letter to Felten et al. [20], it is far from clear what legislators had in mind.  

Issues

There are several issues with the DMCA’s anti-circumvention provision.  First, Section 1201 makes mention of a few exceptions to the DMCA anti-circumvention provisions in the context of good faith [17]:

(d) (1) A nonprofit library, archives, or educational institution which gains access to a commercially exploited copyrighted work solely in order to make a good faith determination of whether to acquire a copy of that work for the sole purpose of engaging in conduct permitted under this title shall not be in violation of subsection (a)(1)(A).

(f) (2) “Permissible acts of encryption research. - Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if . . .”

(j) (2) Permissible acts of security testing. - Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

However, it does not explicitly include intent to circumvent as a necessary condition for determining a violation the DMCA [20].  For example, encryption researchers break cryptographic security systems to expose weaknesses and flaws in order to improve computer security.  They publish their work so that others – including the SDMI and the RIAA – may learn about potential attacks and better ways to design/implement security systems.  [21] Therefore, it seems that encryption research could actually help organizations such as the SDMI and RIAA by pointing out security flaws before pirates, intending to infringe copyright, exploit them.

Second, Section 1201 manifests critical ambiguities and vagueness, one of which was already mentioned: it is not clear whether "No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that . . .” should be interpreted to include presenting talks and publishing papers.  Pamela Samuelson, Director of the Berkeley Center for Law & Technology, commented, “The notion that a paper about a technology is distributing a technology under 1201 is a stretch in the first place, but even if Congress had meant to reach papers as though they were equivalent to technologies, the First Amendment limits what Congress can do.”  [20]

Finally, it is not clear how legislators are defining or what expertise they are employing to define technical terms [20].   For example, Section 1201 defines “circumvention” and “controlling access to a work” as [17]:

(a) (3) As used in this subsection -

      (A) to 'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and

       (B) a technological measure 'effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

Under these definitions, “Section 1201 could be used to prevent reverse engineering for the purpose of detecting bugs in software, remove viruses, or, possibly, even to remove code that may engage in activities that the user may not want, such as reading the contents of the user's hard disk.”   [20]  For example, if I were to find a bug in my windows operating system, I would want to try to figure out how to fix that bug (or perhaps just try to figure out how to get around it to keep my PC from crashing).  The process of my trying to find out what caused that bug could be construed as a violation of the DMCA. 

Implications

It is not clear whether the legislators of the DMCA, specifically of the anti-circumvention provisions, carefully thought out its implications.

Felten, along with the rest of the computer science community attending his talk (based on comments and questions from the audience), seemed to be distressed that finding and publishing weaknesses and defects in technology aimed at protecting copyrighted works could be in violation of the law, the DMCA in particular.  Felten is worried that his research group should have a “discussion with a lawyer every time [they] try to publish a similar paper.”  Felten et al. are even more worried that computer science researchers might have to legally obtain the right to conduct research that has previously been considered lawful.

Organizations such as the Association for Computing Machinery (ACM) are worried that if Felten and his colleagues were to lose their case, “ACM might need to hire attorneys to review conference and journal submissions that could possibly be in violation of the anti-circumvention provisions of the DMCA.  ACM might even need to terminate conferences and cease publications in areas related to certain kinds of computer security and encryption.  Whatever path ACM were to take, there would be a chilling impact on ACM's ability to publish freely and on the ability of ACM's members to conduct research and to present their results to the public.” [20]

It seems that Stanford’s Department of Computer Science has much to worry about as well.  Aside from conducting encryption related research, the Department’s faculty also teaches courses such as “Introduction to Cryptography and Computer Security”, which in particular teaches students basic theory as well as the practice of cryptographic techniques.   It is not clear whether the Department is in violation of the DMCA for offering such courses.  One of my professors, Dr. David Cheriton, gave a networking talk on January 17, 2002 and was reluctant to discuss a particular encryption mechanism because of the DMCA and Felten’s experience.  I asked Professor Cheriton about his reluctance, and he commented:

“The legal threat against Prof. Felten claiming that a research publication can be a tool for breaking a copy protection scheme has created a legal confusion which has a chilling effect on open discussion of weaknesses in copy protection schemes.  Computer scientists should not have to work under the threat of lawsuit or criminal action when just "doing their job" purely because the law-makers and lawyers cannot unambiguously draft and interpret the law.”

Computer science students have much to worry about, too.  The process of reverse engineering to fix a bug, to make a software more interoperable with other software, or to even figure out how a particular technology works for educational purposes, including homework assignments, is nothing new for classmates and myself; it is not clear whether we can be prosecuted under the anti-circumvention provisions of the DMCA.  It seems almost ludicrous that the Department and its students might have to worry about such concerns especially considering that we have purely non-commercial educational interests; perhaps Stanford’s Department of Computer Science should hire a consulting lawyer to help us with such matters.