Researchers Want Right to Bypass Protected Spyware

Dotnaught writes "Computer security researchers Professor Edward Felten and Alex Halderman have asked the U.S. Copyright Office for an exemption (pdf) to the Digital Millennium Copyright Act (DMCA) so that they can circumvent copy protection technology used to protect spyware. The DMCA currently makes it illegal to bypass digital locks almost regardless of what they protect or the user's intent. As noted by the Electronic Frontier Foundation, the Copyright Office theoretically grants exemptions, but in reality discourages anyone from asking. What's significant about the application submitted by Felten and Halderman is that they knew about the dangers posed by Sony's XCP DRM software a month before the news became public. But they delayed publication for fear of prosecution. During that time, many more consumers fell victim to the spyware propagated by Sony."

A horrible idea...

[ovit]

This strikes me as a horrible idea.

I fear that by building these loopholes, we will actually be legitamizing the DMCA as a whole... And we will be losing 1 more datapoint in our arguments against this monstrosity...

Re:A horrible idea...

[Miros]

I'm not so sure. Let's face it, we wont defeat the DMCA by continuing to say it's "illegitimate." I think what we need to do is work through its channels to set precedents, so we can build a case for how studying various mechanisms actually helps society more than it hurts it. I don't see any good new reasons to oppose the DMCA coming up if we continue to stonewall it. But if we use its own language to get a foot in the door, we stand a good chance of weakening its strangle hold on certain aspects of security research. (not to mention fair use)

Re:A horrible idea...

[Urusai]

We can defeat the DMCA by moving all research to a democratic country. Hopefully, they'll take me with them.

Re:A horrible idea...

[nine-times]

Well, IANAL, but the summary that, "The DMCA currently makes it illegal to bypass digital locks almost regardless of what they protect or the user's intent," seems to match what I understand about the DMCA. Now, if we can get enough loopholes in it that it becomes legal again to bypass digital locks and break encryption *for a good reason*, then I have no problem with the DMCA. I'm perfectly fine with people being legally forbidden from bypassing digital locks without any argument as to why they have a valid reason to do so.

For example, if I encrypt my personal data on my hard drive, I think it should be generally illegal for you to break the encryption, just like it's generally illegal to break into my house. That's fair, right?

The problem I have with the DMCA is the idea that it might allow someone to lock data that I believe I should have access to, and I have no legal recourse. For example, AFAIK, it's illegal to rip DVDs to your hard drive, even if you have no intention of violating copyrights. To my mind, that's like being forbidden from creating an alternate means of entry into my own house, rather than being forbidden from breaking into someone else's house.

I guess what I'm saying is, if the US government wants to give stiffer penalties for copyright infringement if the act includes bypassing copy protection, that doesn't bother me. Insofar as the DMCA does that, I don't mind. It only starts bothering me if it's used to go after private individuals who bypass protection for the purpose of fair use.

Re:A horrible idea...

[Em+Adespoton]

It's been a while since I've read the DMCA, but I'd like to comment on some of your comments.

For example, if I encrypt my personal data on my hard drive, I think it should be generally illegal for you to break the encryption, just like it's generally illegal to break into my house. That's fair, right?

Yes, that's fair, and that's why it's illegal even without the DMCA. The trick is that most laws don't make methods illegal, they make actions illegal. Accessing your personal property without permission is illegal.

The problem I have with the DMCA is the idea that it might allow someone to lock data that I believe I should have access to, and I have no legal recourse. For example, AFAIK, it's illegal to rip DVDs to your hard drive, even if you have no intention of violating copyrights. To my mind, that's like being forbidden from creating an alternate means of entry into my own house, rather than being forbidden from breaking into someone else's house.

AFAIK, the DMCA says nothing about ripping DVDs; they can be easily imaged to a HDD. The trick is that you get into copyright trouble (DeCSS) when trying to convert them to a new format playable by software not originally designed to play the DVD. Also, the DMCA says nothing about region encoding. Your thoughts on the subject are still valid however.

I guess what I'm saying is, if the US government wants to give stiffer penalties for copyright infringement if the act includes bypassing copy protection, that doesn't bother me. Insofar as the DMCA does that, I don't mind. It only starts bothering me if it's used to go after private individuals who bypass protection for the purpose of fair use.

It bothers me -- methods should not create stiffer penalties; actions should. People get caught up in the "technology" used to commit pre-defined crimes, and forget that they are already crimes irrespective of how they were committed. We don't need an "Internet auction fraud" law, because we already have a perfectly usable fraud law that applies. If an old law no longer carries appropriate penalties for a crime, the old law needs to be revised.

To sum up, everything illegal under the DMCA that should be illegal already was -- everything else is being overturned on a case-by-case basis, which is putting the onus on the innocent parties to prove they're innocent, instead of putting the onus on the prosecution to prove they're guilty. The DMCA is a "guilty until proven innocent" law.

It's Really Sad That...

[Nom+du+Keyboard]

It's really sad that someone has to ask for this exemption. It should have been there from the beginning. Furthermore, I should be able without fear of prosecution to investigate anything on my computer that affects its operation for the purposes of removing it safely and completely without fear of prosecution.

Just another reason why politicians shouldn't be writing laws concerning subjects they know nothing about.

Re:It's Really Sad That...

So... you're saying there should only be laws about sucking up, pandering, money grubbing, and backstabbing?

Re:It's Really Sad That...

[Nom+du+Keyboard]

it's not reasonable to assume that they would prosecute you unless you published the information you obtained (indeed, how would they know?).

By your interpretation, every single user would have to be a Computer Scientist able to diagnose and repair their own complex operating software, since no one could share their discoveries.

And since Viruses hide themselves, no anti-virus firm could market a product to remove them since that would be making use of illegal bypassing of the Virus's anti-circumvention provisions.

You see where this leads. Without the ability to share information on threats, the ability to remove and protect against them is essentially nullified. The DMCA is a damn horrible awful thing for consumers.

Re:It's Really Sad That...

[ZachPruckowski]

Well, be careful not to overstate the problem. While the language of the DMCA makes it clear that it is illegal to even do this type of investigation with your own computer, it's not reasonable to assume that they would prosecute you unless you published the information you obtained (indeed, how would they know?)

First of all, I don't like actions that are necessary for my safety to make me a "criminal", even in the theoretical (non-prosecutorial) sense.

Secondly, it reflects badly on a gov't to have a law that is unenforceable.

Re:It's Really Sad That...

[gstoddart]

It's really sad that someone has to ask for this exemption. It should have been there from the beginning. Furthermore, I should be able without fear of prosecution to investigate anything on my computer that affects its operation for the purposes of removing it safely and completely without fear of prosecution.

Exactly. The computer is the person's property. I don't understand how the owner doesn't retain full control over it.

But, I'm confused. Isn't reverse-engineering broad enough to cover researchers dissecting it?

If the day comes that anything with 'digital security' can't be looked at except by those who made it, we'll all be screwed. Hell, I should think you could go around putting a physical device on people's cars and houses that locks them -- and since it's got some digital components, it would be illegal for the owner to open them without running afoul of the DMCA.

No room for extortion there --- "You're not allowed to remove our lock from your car due to the DMCA, but for $1000 we'll remove it" -- what if the lock was placed illegally? (Or the software was installed surrepticiously in the case of spyware.)

This is completely irrational. If I go to a store and buy new windshield wipers, the merchant can't make it illegal for me to buy windshield wipers from someone else ever again.

At some point, the consumer needs the ability to terminate a contract when they no longer wish to do business with someone. Making it illegal to dissect/remove spyware would be like enforced vendor lock-in in the real world. You signed up once, now you have to be signed up in perpetuity??

Re:It's Really Sad That...

[Shakrai]

Just another reason why politicians shouldn't be writing laws concerning subjects they know nothing about.

Actually, you should have said "just another reason why politicians shouldn't be enacting laws that were written by lobbyists". It's a bit unfair to demand that Congresscritters will be experts in all subjects.

But on a related topic -- why isn't there a CTO (Congressional Technology Office)? There's the Congressional Budget Office -- which is (allegedly) a non partisan office that exists to advise Congress on budgetary issues. They are the ones releasing the figures about Social Security that disagree wildly with what the White House would have us believe.

So why shouldn't there be a CTO? It's unreasonable to expect that all Congresscritters can be knowledgeable techies. They should have a non partisan agency to advise them about these issues -- then perhaps stuff like this wouldn't be overlooked.

This story should've had the censorship icon

[davidwr]

What's significant about the application submitted by Felten and Halderman is that they knew about the dangers posed by Sony's XCP DRM software a month before the news became public. But they delayed publication for fear of prosecution. During that time, many more consumers fell victim to the spyware propagated by Sony.

This story deserves the Slashdot Censorship Icon.

I wonder of the victims can go after the copyright office for contributory neglegence? Probably not but it's fun to think about.

Darn, looks like I missed "first post" by --><-- that much.

Would they have dared?

[despe666]

It would have taken a lot of gall from Sony to sue anyone who would blow the whistle on their rootkit. Their public image has been damaged enough as it is with the rootkit scandal to damage it even more with a stupid lawsuit.

Re:Would they have dared?

[MightyMartian]

Look at Sony's first response when it was revealed what they were putting on people's computers. I'll wager Sony would have sued. Remember, these guys have no ethics whatsoever. They'd sell their own mother if they thought they could get away with. It seems, however, that the corporate whores in Congress won't be doing anything to assure that this stunt leads to jail time and substantial fines for those who thought up the stunt. That sort of treatment is only for little girls, old men and mothers who get accused of pirating. When a big corporation does it, that's okay, because Congressmen are getting whores, cash and vacations. Perhaps that's the solution. Taxpayers should build up bribe accounts so that when they need to protect themselves from ludicrous laws, they can hand it to the whore that represents them so that maybe he won't sell them down the river for a financial blow job.

It's like guns

[Red+Flayer]

In the US, it is legal (with restrictions) to own a gun. It is not legal to go out and randomly pop a cap in someone's behind. The tool, or mechanism, is legal, but the act is not.

Contrast that to the restrictions being argued against. The tool, circumvention of copy protection technology, is illegal. The act, distributing copies in violation of copyright, is also illegal.

Why is circumventing copy protection illegal? Because the **AA want it to be.

Say I want to rent a bike for the day. I license the use of the bike, and am provided with a bike lock. Is it illegal for me to pick that lock? Even if you go by the **AAs' ridiculous licensing theory, it still doesn't make sense to have circumventing copy protection be illegal.

It's about time

[sarlos]

As someone who has worked in sensitive research areas, I have to say it is about time this came up. There were many times in college when we could not tell our sponsors straight out what we were doing because technically it was illegal. We were doing legitimate research, but because of how poorly written the DMCA is, we could have gotten in hot water because of what we were doing.

What makes it even worse... our sponsor was the Department of Defense. I can not give any specific details becaus of a NDA, so you will have to take my word on it, but what we were doing was of great value to our serving men and women. This is something that is most definitely sorely needed.

Scotch Tape

[DownWithTheMan]

At the very least I hope Sony is fair when they sue people under the DMCA and that they sue Scotch tape manufacturer 3m... I mean you can use Scotch tape to circumvent copyright protection on Sony CDs and isn't that a violation of the DMCA even though Scotch tape has many legal uses...

Reverse Engineering / Removal

[Renraku]

If a company ever tried to bring charges against me because I released a fix to their crippleware/malware/spyware/lameware to neuter it or remove it completely, I would be citing 'home defense' laws.

They brought their property, on to yours, with the intent to cripple or hinder use of your equipment, without adequately informing you and without your express permission. In my world, this is the same as home invasion. Just the same as a fat man standing over your computer yelling at you or fucking with your machine's innards when you weren't looking.

Its absolutely retarded that this is even LEGAL. The only reason they haven't been able to apply the DMCA to car innards is because they know that the person OWNS that piece of equipment, and putting in measures to defeat it would be taken apart in all of ten minutes. And spread the information. Eventually it would lead to bad press, as a useless piece of metal would be trying to keep you from having access TO YOUR OWN car. Same thing with computers and software..but people don't think they're as important as things meatside.

This is getting ridiculous

[sabre307]

So does this mean that if I go out and copyright a new computer virus with the USPTO, I can sue the federal government and the anti-virus manufacturers when they crack open my code to figure out how to stop the virus from damaging computers? I would love to see someone try that one. It would almost be worth going to jail for a while if I could patent a nice new form of self-propogating worm, then upload it onto the servers of the *AA. Then, when they figure out how to stop the worm, I can sue them for millions because the only way they can figure out how to stop it is to circumvent my copyright protection and reverse engineer my application. I might spend a while in jail, but I would probably have a smile on my face the whole time!!!!!

Let me get this straight...

[masdog]

Alright, I'm a little confused here. We have laws on the book which prevent breaking into computers and installing "spyware" without the user knowing about it, but if that "spyware" is encrypted/hidden/copy protected in any way, it is also illegal to remove it??

Is it just me, or is the US government getting too stupid for its britches??

Re:Let me get this straight...

[Surt]

The process is clear as defined by current law:

If you discover spyware is on your system, and your state has laws against that, you may pursue a suit against the spyware vendor.

If the spyware is protected by anti-circumvention devices, you are not permitted to remove it yourself.

Ergo, include removal as part of your recompense for damages in the suit. Sony will need to provide for the removal of the spyware, and at its discretion could give you permission to remove the spyware using a 3rd party tool.

Re:Not so fast

[six]

The DCMA, the US's favorite export.

Actually the DMCA as well as its EUCD european counterpart are both implementations of the TRIPS international treaty which was brought to us by our loved and highly democratic World Trade Organization.

It also seems that EUCD is yet more restrictive than DMCA, actually the french implementation of EUCD, if adopted by the parliament at the end of the month, will simply make it illegal to publish free software .

It's more than time for all this nonsense to stop.

There was one. It was disbanded.

[Hobart]

why isn't there a CTO (Congressional Technology Office)? There's ... a non partisan office that exists to advise Congress on budgetary issues ... It's unreasonable to expect that all Congresscritters can be knowledgeable techies. They should have a non partisan agency to advise them about these issues

I agree wholeheartedly. In fact, there was such an agency.

The Office of Technology Assessment was such a congressional body, founded in 1972, and it lasted until 1995, when the Gingrich Congress came in, it was disbanded.

More about that here, here, here, and of course on Google.

--
Slashcode bug # 497457 - unfixed since December 2001 - Go look it up!

The US IS less democratic

[parodyca]

then it ever use to be.

Who modded the parent as Flamebait? The US has moved far from it's democratic ideals. It may not be any China or North Korea, but it is a far sight less free and democratic then it ever use to be.

To wit:
1) DMCA
2) Patriot Act
3) Congressional gerrymandering.
4) Copyright extentions and patent law broadening.
5) Air travel ID requirements