Section 10.5. The Threat to Research

10.5. The Threat to Research

Again in the DMCA, copyright bleeds beyond entertainment media and content. Here, it also chills research into encryption that may be used to secure copyrighted works, regardless of whether that research touches entertainment content directly.

When the Secure Digital Music Initiative (SDMI) invited programmers to "attack" security technologies they were promoting to control digital music, Princeton computer science professor Ed Felten and his team stepped up to the challenge. They broke the security and prepared a scientific paper analyzing the weaknesses of digital audio watermarking. By scrutinizing these implementations, they could help the public, and particularly those considering watermarks to protect their own materials, to evaluate the security of watermark technologies.

But when the Felten paper was accepted for presentation at a computer security conference, its authors were threatened with a lawsuit from the Recording Industry Association of America (RIAA) and SDMI's technology providers. RIAA and the technology companies claimed that even the scientific analysis of flaws in security technology "would subject [the] research team to enforcement actions under the DMCA and possibly other federal laws." The RIAA suggested that the paper and conference presentation fell under the DMCA's antidevice prohibition, which bans offering to the public "any technology, product, service, device, component, or part thereof," designed or marketed for circumvention or having only limited commercially significant other purposes. Facing legal pressure on conference organizers and researchers, the team withdrew the paper.

While Professor Felten and his team ultimately published a version of the paper, "Reading Between the Lines: Lessons from the SDMI Challenge," they were forced to strip out technical detail. With the vague anticircumvention threat hanging, the authors felt they had to omit code samples that could be construed as aiding circumventioneven though that code would have helped other researchers and developers to understand the watermarks' weaknesses better and to learn from SDMI's errors in building their own security systems.

The work of the Felten team never infringed copyright. The researchers did not copy a single piece of music without authorization, nor even produce tools that enabled others to do so directly. And yet, they were caught up by the DMCA's vagaries because their paperintended to educate other researchers and developers of security systemsmight also have provided "part" of a tool for circumventing a copyright control. Will the same hurdles rise before someone who builds a tool to strip accidental copy protection from fonts he himself has created; security researchers who find vulnerabilities in network software they analyze; someone describing hardware modifications to make the Xbox a more general-purpose device? So far, the answer has been "yes" for Tom Murphy, SNOsoft, and Bunnie Hwang.

For those who are attracted to open source development because of its opportunities to learn from and share with others, this antiresearch aspect of the DMCA should be particularly troubling: research is being chilled precisely because it teaches too much, because its teaching might be misused. Of course, closing systems doesn't stop them from having security flaws, or even prevent those flaws from being discovered, and it does block some of the most effective information sharing around better security. Both the teaching that open source developers depend on to improve their programs and the teaching of open source code itself are at risk.

Further, the DMCA has been used in attempts to block competitive interoperability of devices including printer toner cartridges and remote control garage door openers, as manufacturers add little scraps of code to devices and hope to leverage its "protection" into market control. Though those arguments have been rejected so far, it's unlikely we've seen the last of them.