DMCA As Censorship: Chilling Effects On Research
from the make-it-stop dept
We were worried about the part of the DMCA called 17 U.S.C. § 1201(a)(1), which says that “No person shall circumvent a technological measure that effectively controls access to a work protected under [copyright law].” We had to disable the rootkit to detect what it was hiding, and we had to partially disable the software to figure out what it was doing. An angry record company might call either of those steps an act of circumvention, landing us in court. Instead of talking to the public, we talked to our lawyer.And, because of that, the dangerous rootkit lived on for a bit longer, the public blissfully unaware of the massive security holes they were introducing onto their computers, courtesy of a paranoid RIAA. While it was eventually revealed by another researcher Felten and his students sat on the info for a while (including info on another vulnerability) before eventually releasing the details. That's a clear example of the very real and very dangerous chilling effects of the DMCA. Every time we bring up this concern, maximalists insist that there is no such thing. I'm curious how they explain these examples away.
Felten notes that a bunch of researchers had actually told Congress about this problem back when the bill was first being discussed... and they were mostly ignored:
The research community saw this problem coming and repeatedly asked Congress to amend the bill that would become the DMCA, to create an effective safe harbor for research. There was a letter to Congress from 50 security researchers (including me), another from the heads of major scientific societies, and a third from the leading professional society for computer scientists. But with so much at stake in the act for so many major interests, our voice wasn’t heard. As they say in Washington, we didn’t have a seat at the table.Congress should fix this, but it seems like there's not much interest in doing so these days, which is unfortunate. While Felten has revealed his situation, we'll never know how many others were similarly stifled, or (worse) how much useful research was never even started because of this kind of risk.
Congress did give us a research exemption, but it was so narrowly defined as to be all but useless. (So perhaps we did have a seat—at the kids’ table.) I’ll spare you the details, but basically, there is a 116-word section of the Act titled “Permissible Acts of Encryption Research,” and it appears to have been written without consulting any researchers. There may be someone, somewhere, who has benefited from this exemption, but it fails to protect almost all of the relevant research. It didn’t protect Alex and me, because we were investigating spyware that didn’t rely on the mathematical operations involved in encryption.