DMCA Forces Cox To Censor Changelog?

Ross Vandegrift writes: "Alan Cox released 2.2.20pre10 today, which includes security fixes. He is refusing to indicate what security holes have been fixed, as Unix-style permissions could be used as an anti-circumvention device. The thread starts here. " It'd be great if people could read the threads here and try to figure out what is going on. I'm a little lost, but it looks like he's being overzealous.

he's just trying to "make a point"

[jlv]

Here's his key points in the thread (and the points that he was responding to)

> > 2.2.20pre11
> > o Security fixes
> > | Details censored in accordance with the US DMCA
>
> Care to elaborate?

On a list that reaches US citizens - no. File permissions and userids may
constitute and be used for rights management.

> Are you saying that we can't divulge security problems in our own software
> anymore for fear of being sued by affected parties?

Not even affected parties - the government can do it too without anyone else
and indeed even if their are contractual agreements between parties
permitting the data to be released..

I hope to have the security stuff up on a non US citizen accessible site in
time for 2.2.20 final

> Putting pressure on US people to have them influence their
> legislation? Aka. every people have the rulers they deserve? Won't work
> out.

"Until they become conscious they will never rebel, and until after
they have rebelled they cannot become conscious."

> Seriously, are you kidding?

The current interpretation of the DMCA is as lunatic as it sounds. With luck
the Sklyarov case will see that overturned on constitutional grounds. Until
then US citizens will have to guess about security issues.

> This would then presumably lead to password protected access for US kernel
> developers that need to know? And some kind of NDA?

US kernel developers cannot be told. Period.

> 'IANAL', and neither are you, are you sure this sillyness is necessary?

Its based directly on legal opinion.

I stopped reading at this point.

Re:Does DMCA apply here?

[Mr+Z]

And if you read the thread, you'll see that Alan Cox's assertion is that UNIX-style permissions can be used for digital rights managment purposes. That is, they can be used as an access control to protect copyrighted works that are covered under the DMCA. Therefore, disclosing a security vulnerability which can subvert UNIX-style permissions is equivalent to describing how to circumvent an access-control device as described under the DMCA.

I would guess that the specific DMCA clause that Alan's affected by is this one:

• (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

  • (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

    (B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or

    (C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.

It would seem Alan's conjecture is that describing a specific vulnerability in the Linux kernel that allows subverting some aspect of Linux's permission structure (which can be used as an access control device to a protected work) constitutes "traffic[king] in any technology [...] or part thereof" that would allow someone to circumvent the access control. Under the current interpretation of the law (re: Skylarov), detailing a security weakness in a product seems to (a) constitute such trafficking, and (b) seems to fit one of the three clauses 2(A), 2(B), or 2(C) above. (Notice they're connected by an 'or', so it's is necessary to fit only one of the three to be in violation of DMCA. I'm guessing the kernel information would fit 2(A).)

I'm so proud to be an American, where at least I know I'm free[*]. :-P

--Joe

[*] For a suitably narrow definition of free.

Re:People! He's Joking!

[Simon+Brooke]

I don't think he's joking at all. I think he's dead serious, and I think he's absolutely right to be. European programmers can no longer travel to the United States without risking being arrested for doing things which are perfectly legal where they did them (and in 95% of the rest of the world). Until you guys get this sorted, you have to face up to the fact that the rest of us can't safely share stuff with you.