News

61 Reforms to C-61, Day 26: TPMs – Encryption Research Exception Requires Notice

As discussed in the last entry, Bill C-61 includes an exception for encryption research much like the U.S. DMCA.  The U.S. DMCA exception has been widely criticized as providing insufficient legal protection for legitimate encryption research, leading to significant concerns in the research community about the prospect for liability.  The Canadian provision is little better.  In both cases it requires the researcher to inform the target about plans for circumvention for research purposes.  The Canadian bill substitutes a requirement of "good faith effort to obtain authorization" in the U.S. law for a notice requirement ("the person has informed the owner of the copyright in the work . . . who has applied the technological measure"), notice and/or authorization are unnecessary and potentially chilling.

The exception already includes a condition that "it would not be practical to carry out the research without circumventing the technological measure" and that the person has "lawfully obtained the work," so the researcher has a legal copy and must pass a necessity barrier.  The inclusion of an additional notice requirement should be dropped since it has little to do with copyright protection, yet creates a possible barrier for researchers who need to do encryption research without telegraphing their plans to the target organization.  

16 Comments

  1. Not sure I follow the reasoning
    I am not sure why it would be necessary for a researcher to do the encryption research without telegraphing their plans to the target. The only reason I can think of is reverse engineering for the purpose of developing a competing product (other than researchers for government security agencies, that is)… Perhaps there are others I am missing?

  2. Maupassant says:

    this requirement causes a research chill
    Taking the Ed Felton case as a prototype, it would allow the threats to precede the research, rather than merely threatening over its presentation. This would make it not worth the risk to proceed with the research at all– which is precisely the point.

    The threat against Ed Felton was unusual only in that it provided the proverbial bus-full-of-nuns case. Dr. Felton was (is) both highly respected, and worked at a pretigious university. Although the threat was dropped, the mere fact that *even he* could be threatened created a chill.

    I can see no purpose for a notification requirement other than to allow intimidation.

  3. Anonymous says:

    Funny,
    Kevin\’s attitude was (to paraphrase) \”If the researcher has nothing to hide then why not notify first?\” and Maupassant reply is (again to paraphrase) \”If the devolping company has nothing to hide, why the requirment to notify?\”

    I do love though that when ever some says something against these the reply from the supports is always: \” If you\’ve got nothing to hide then what\’s the problem?\”

    2008: The year the Conservatives protected our freedoms by removing them.

  4. Maupassant says:

    If by ‘paraphrase’
    … you mean “what I would like your argument to have been”

  5. I don't think so.... says:

    “I can see no purpose for a notification requirement other than to allow intimidation.”

    So you do not mean if the developer has nothing to hide (and therefore no reason to threaten), then why does the researcher have to notify?

    I just thought it was interesting that the nothing to hide argument can work for both sides.

  6. Maupassant says:

    My point is that I didn’t make a ‘nothing to hide’ argument. I regard those arguments as pointless and even misguided. Whether the developer and/or distributor of the TPM technology has anything to hide or not is irrelevent. Since the research proposal’s validity does not depend on them, there is no reason to require researchers to have their proposals vetted by parties who have no interest in seeing it proceed. And this is effectively a requirement for permission, since few granting agencies will continue with a grant in the face of legal threats. And threatening to sue is cheap.

  7. Anonymous says:

    I agree with Kevin. Difficult to think of many instances when this will impede genuine research. More to the point, this 61 reforms to C-61 series is getting silly. Maybe more helpful to focus on serious points because there is no way that everything on the endless list is going to happen. Most countries have this kind of law and Canada will go the same way, with maybe a few changes. There are some problems with the Bill. It won’t bring about world peace either, so try and prioritize.

  8. ohhh… Please can you teach this ignorant man which “Most countries have this kind of law”?

    Thanks much.

  9. Anonymous says:

    Best the good professor can come up with are…Latvia, Slovenia and Israel as examples of countries which have SOME softer provisions on circumvention. Everywhere else, it looks like it will look in Canada. And the UK approach to illegal downloads by kids is to go after the parents and if it continues to slow their internet speed to just above zero.

  10. @anon:

    This actually can impede research by way of making researchers waste a profound amount of time making sure that they can make a legal case that they have “informed the owner of the copyright in the work”. As in, all the company has to do is to make it difficult to contact them, or ignore (or significantly delay) the reply to the notification. After all, if they don’t reply, then you don’t know if you’ve actually notified them or not and ignoring researchers is free.

    So, what can (and will happen a good amount of time) is companies basically making researchers turn there attention to other products and/or areas for there research.

    But, one must ask the question, why do companies need such protections? Everyone else gets along just fine without them. In fact, this is the way the security people have been working since the beginning.

  11. Other countries
    \”Best the good professor can come up with are…Latvia, Slovenia and Israel\”. By my count, the series, which is not even half way through, has also cited New Zealand, Norway, Finland, Australia, the United States, Taiwan, Singapore, Czech Republic, Lithuania, and Sweden. Everywhere else countries are creating exceptions that don\’t look anything like the Canadian law.

  12. Putting words in my mouth
    For the anonymous poster at 18:14, I agree with Maupassant’s 18:20 posting. My point was in accordance with the first sentence of the 19:01 posting. By the way, did you bother to read my last sentence? In fact, I would argue that they should get hold of them for a couple of reasons. These are:

    1) Since one reason to do this is to look for weaknesses in the mechanism, then the owner of the technology may in fact already know about problems (just may not have advertised them while a fix is underway), which reduces the reason to do the research.

    2) Posting results in an academic paper or on the internet, without informing the developer of the technology, may in fact post enough information to be considered publishing company proprietary information. To contact the developer up front may in fact provide the researcher with publishing guidelines so they can avoid this.

    One of my concerns with academic and research exemptions relates to what we are teaching the university students. If they are not told that what they are doing, out in the real world, would be considered illegal, how well are they being prepared for it? I’ve seen too many examples of people coming out of post-secondary education, universities in particular, who just aren’t prepared. I’ve had them working for me and friends of mine.

    Reid: The proposal for the Canadian law does not require that the researcher actually get permission. While certainly making it difficult to contact them to provide notice would make it difficult actually start, making it difficult to contact them would likely pose a business problem for the company… after all, if you can’t contact them to get permission for the research, it is difficult to contact them to license the technology. I would think a registered letter to the company would suffice.

  13. Anonymous says:

    Other countries
    The US??? THis whole series is how about the demonic US and its DCMA!

    As for the others, their total population isn’t much more than Canada’s and most of them get the bulk of their published output from local companies that often rely on government subsidies.

  14. Notice
    On the matter of providing notice, I feel that to have made a ‘best effort’ at informing the owner should be enough, and that permission should not be necessary.

    Many contracts have a provision wherein you are legally considered to have given informed another party a certain number of days after sending that party a registered letter, so as Kevin said this should suffice.

    Granted, the official delivery address is usually written into the contract, but since in this case we’re usually talking about companies and not individuals then a registered company address is easy to find.

    Independent research frequently discovers weaknesses in encryption or software flaws. It would be a detriment to us all if independent people are stifled from performing this research.

  15. Re: Notice
    Certainly independent, outside, research is necessary, if only for the purposes of double checking the in-house mathematicians. Thus, there are two primary ways that I see this occurring.

    First is that the independent researcher decides to look into the algorithm, looking for flaws. He/she then send the results to the developer of the algorithm so that they can deal with the problem. The risk here is that the researcher provides no value added… what they find is something that is already known. In this case notice is required under the bill. However, should the developer be willing, they may in fact be willing to give the researcher access to information that would allow them to spend the research dollars on looking for problems, rather than on reverse engineering the algorithm.

    The second is that they are contracted by the developer. In this case, notice would not be required.

  16. Notice
    Kevin, I have to disagree with part of your argument for a notice system. You are suggesting that a notice system can save research dollars because a company may, upon notification, decide to release information to the researcher that would make the research unnecessary.

    My problem with this line of reasoning is that this information may be far less likely to become publicly available under the scenario you suggest. To my mind, the “wasted” research dollars would be a small price to pay for increased public knowledge.

    In any case, I’m not convinced that the possible research savings benefit offsets the possible chilling effect detriment of the notice system.