30 Days of DRM – Day 10: Security Research (Circumvention Rights)

Given the priority currently accorded to security concerns, it is difficult to understand how any government would be willing to undermine security in the name of copyright.  That is precisely what has occurred in the United States, however, where computer security researchers have faced a significant chilling effect on their research due to legal threats from the DMCA.  The U.S. cases are fairly well known: they include Princeton professor Edward Felten facing a potential suit from the RIAA when he planned to disclose his research findings in identifying the weaknesses of an encryption program and Dmitri Sklyarov, a Russian software programmer, spending a summer in jail after presenting a paper at a conference in Las Vegas that described his company's program that defeated the encryption on the Adobe eReader.

Even more compelling are recent comments from Professor Felten at a conference at the University of Michigan. 

Felten told attendees that for every two hours he spends researching in the lab, he spends one hour with lawyers discussing what he can and cannot reveal in his research.  Moreover, he advised that he has self-censored every research paper (with the exception of his work that brought the legal threats from the RIAA) and that he was aware of the Sony rootkit threat months before it was publicly disclosed but did not break that story due to legal concerns.  In light of these events, Felten acknowledged that many potential security research scientists were choosing alternative career paths in order to avoid the legal hassles now associated with computer security research.

These same concerns were echoed in Canada in a 2005 letter from the Digital Security Coalition to the then-Ministers of Canadian Heritage and Industry.  The letter noted that:

Understand that the science and business of digital security implicates the practical application of circumvention technologies.  To understand security threats, researchers must understand security weaknesses.  We are not in the business of circumventing technological safeguards for the purposes of exploiting the weaknesses we find; rather, we are in the businesses of finding and addressing those weaknesses. 

Security weaknesses are best found – and addressed – when a variety of security researchers examine a platform or application.  The odds of one party devising the best response to a security issue are slim; the likelihood of an optimal response improves significantly when a community of security researchers has the opportunity to examine and test a  platform or application.  Anti-circumvention laws throw a shroud of legal risk over that community, and dampen security research at the edges.  Simply, anti-circumvention laws that provide for excessive control make for bad security policy. 

Any new legislation must ensure that researchers and the companies typified by the Digital Security Coalition (which include Canadian leaders such as Third Brigade, Certicom, and Borderware Technologies) are free to conduct their work and to publish their results without fear of legal threats arising from anti-circumvention provisions.  If Canada is to establish a U.S.-style DMCA, it must include an explicit circumvention right that covers security research (both the activity and its dissemination) in academic and commercial settings.


  1. Jonathan Ramsey says:

    Musician and Curmudgeon
    This is truly chilling. I live in the U.S., and it amazes me the contradictions that abound in the new copyright and DRM laws. Knowledgeable legislators and the industry flagrantly thumb their noses at long-standing principles, concepts, and protections of copyright and fair use, while ignorant legislators and the general public are forced to go along for the ride.

    I’m thankful for Sony’s newsworthy DRM debacle. If such issues don’t happen this early in the game, people will remain unaware of the security problems that TPM can create. As time goes on, the number of more insidious incursions and resulting problems that might accumulate on PCs and servers full of personal and financial data could be more difficult to fix.

    Jonathan Ramsey
    [ link ]

  2. John Harris Stevenson says:
    Just to be clear, the \”conference\” at which Sklyarov was \”presenting a paper\” was the hacker convention DEFCON, which I actually attended that year.