If I tell you that I'll have to kill you: Red Hat fights the DMCA [Digital Millenium Copyright Act]

The Register USA ^ | 10-16-2002 | John Lettice

[JameRetief]

If I tell you that I'll have to kill you: Red Hat fights the DMCA

By John Lettice

Posted: 10/16/2002 at 04:33 EST

Red Hat has struck a small blow against the DMCA, by publishing a security patch which can only be explained fully to people who are not within US jurisdiction. The company's position here seems to be not altogether voluntary - according to a spokesman "it is bizarre, and unfortunately something Red Hat cannot easily do much about," but like it or not Red Hat has been recruited to the campaign to make the DMCA look ridiculous.

The patch itself is on the Red Hat site, on this page, and the oddity here can be seen if you go down to the bottom. Under the heading "references" there is a link to http://www.thefreeworld.net/non-US/. At this point, those of you reading this while within US jurisdiction should have a care. We will endeavour to unfold the tale to you without exposing ourselves to action under the DMCA, but we stress now that we are not encouraging you to do so, nor is it our intention to provide you with the tools to do so.

Thefreeworld.net is not as yet an especially widely-known site, but its purpose is explained here. Briefly, it notes that the US has shown a readiness to bust individuals who perfectly legally publish information and software outside of the US, on the basis that this is published to people within US jurisdiction, among others. In order to publish this information without getting busted, Thefreeworld.net uses a licensing agreement which specifically rules out people within US jurisdiction. You can see the licence here, and again we stress that people within US jurisdiction should not accept this licence.

This bit makes it all nice and clear:

By continuing you warrant that you:
* are not a citizen of the USA.
* are not under US jurisdiction, including embassies, naval vessels, military bases and other areas of US jurisdiction.
* are permitted to import security information that may include information that can be used to subvert copy or content protection, even though this is not the primary purpose of the supply of this information.
* are not obtaining the information with the intent to commit a crime.
* understand the information is provided without fee and without warranty and/or guarantee of correctness of any kind.
* acknowledge that by downloading the data outside of the European Union you are performing an act of importation.

This rules out several Register staffers, and as Mr Orlowski in particular, not being a US citizen but being within easy reach of the feds, is particularly vulnerable to being lined up in front of a military tribunal in Cuba and shot, we caution him to stay away.

So what's all this got to do with Red Hat? Well, non-qualifying people, we can't exactly tell you that. But when we asked Red Hat about it we got an official comment which at least partially explains it: "RHSA-2002-158 is an errata kernel which addresses certain security vulnerabilities. Quite simply, these vulnerabilities were discovered and documented by ppl outside of the US, and due to the Digital Millenium Copyright Act legislation in the US, it is potentially dangerous to disclose any information on security vulnerabilities, which may also be used in order to circumvent digital security - i.e. computer security. For this reason, RH cannot publish this security information, as it is not available from the community in the first instance. The www.thefreeworld.net site allows for accessing this information, but requires you agree to terms which protect the author and documenter of the patches from being accusations that they themselves have breached DMCA."

Got that? In some instances at least, the very act of explaining what has been fixed by a security patch could be construed as explaining how the security of a product could be breached, and hence could be viewed as a breach of the DMCA.

This is of course ridiculous. Does this mean that all of the companies issuing security advisories are breaching the DMCA? Well, quite possibly. Does it mean The Register's pole position security watcher John Leyden might be breaching the DMCA every day of his life? Oh dear.

Obviously, it is ridiculous, and the notion that the DMCA could be used to send virtually the entire security industry to prison for a very long time is ridiculous - just as ridiculous as the idea that the US authorities are going to start flying non-US citizens to Cuba to shoot them. But if neither of these things are ever going to happen, why do the laws permit them? At the very least, it's untidy.

It seems to us that the authors of the explanatory document which US citizens are not permitted to read would have been most unlikely to get themselves busted by just publishing it. We could of course be wrong, but it seems to us the more likely purpose of the exercise was to make a point, which they have done splendidly.

The document has been copyrighted, and the authors have chosen to restrict its distribution, and to use Thefreeworld.net licence as the mechanism for doing so. Note that it is the copyright, rather than fear of the DMCA, that has forced Red Hat to join in. Looking at the Ts & Cs we think it would probably be OK (i.e. not a breach of copyright) for us to publish it here via a click-through agreement for the benefit (or should that be continuing deprivation?) of US readers, and we could adopt a DMCA defence wall along the lines of Thefreeworld.net's in order to shield ourselves from the other stuff. Not that we'd be any more likely to get busted than the authors, but we feel a responsibility to support their stance here.

But as you already know where you can or can't read it, our duplicating the mechanisms here would serve no purpose. Making points in the way the authors have however does serve a purpose, because it keeps the DMCA in the public eye, and exposes its stupidities. More of this would be good, and possibly most excellent sport, we think.

And the perpetrators? It's not entirely clear, but Red Hat names some of the people involved in the fixes. In addition, we understand that some guy called Alan Cox might have been in some way connected. You may have heard of him. ®

[TechJunkYard]

Reckon how a Linux user is supposed to know whether he needs to apply the specified patch?

Just wait for some Anonymous Criminal to post it on Slashdot.

(Don't click on that link! I'm warning you!)

[dheretic]

Is Oracle really that bad?

Nahhh they're still in the nut-squeezing stage, not the knee-cap-busting-with-baseball-bat stage. That being the case, the government has little power to go after them :)

[altair]

Is Oracle really that bad? ;-p

They invited impeached, disbarred ex-President Clinton to speak; they hired one of his top aides as a consultant. Oracle is really that bad.

[altair]

I don't like Microsoft, but I despise Oracle. Anyone who will pay six figures for disgraced, impeached, disbarred ex-President Clinton to speak is despicable. In my opinion.

[Bush2000]

Has anyone been prosecuted successfully under this law?

[JameRetief]

Has anyone been prosecuted successfully under this law?

Yes. Universal v. Reimerdes (a.k.a. the NY DVD case).

Eight major motion picture studios brought a suit under the DMCA against 2600 Magazine to enjoin it from publishing or linking to DeCSS, a computer program that circumvents the encryption on DVDs, called CSS. DeCSS was developed to help enable DVDs to be played on computers running the Linux system. It also allows the constitutionally protected fair use of DVDs, which is otherwise prevented by the encryption.

The 2nd Circuit Court of Appeals affirmed, The Electronic Frontier Foundation (EFF) moved for an en banc hearing in NY, but was denied.

[TechJunkYard]

There was also some guy busted in California with more than 4500 bootleg video cassettes.

Then there's Felton and Sklyarov, who "almost" got pinched.

[Bush2000]

I was actually referring to individual criminal prosecutions but thank you.

[Bush2000]

The California case has nothing to do with information disclosure. It's all about overt copyright infringement. As for Felton and Sklyarov, the government dropped the case.

[TechJunkYard]

The California case has nothing to do with information disclosure.

He was convicted of "circumvention of a technological measure used to protect a work", which is the heart of the DMCA. There's also a reference to a second case in Nebraska which involved mod-chipping a Playstation. That answers your original question, "has anyone been prosecuted successfully under this law?"

There aren't any convictions under the "disclosure" interpretation; but remember that Sklyarov was charged with trafficking in circumvention technology, even though he personally distributed no software, only information, and that is what has everyone so concerned about the possibilities.

[Arthalion]

Red Hat may me making an important mistake here...publishing this information in OTHER countries may not protect them from prosecution. Many anti-DMCA'ers tend to forget WHY the DMCA was drafted in the first place, and why this problem isn't confined to the US.

In 1996, the World Intellectial Property Organization, a subset of the World Trade Organization (WTO), got together with the intent to streamline copyright enforcement laws, penalties, and extradition rules. The result of this was the 1996 WIPO Copyright Treaty, which was signed by Clinton and approved by Congress. The DMCA is simply the WIPO Treaty codified into U.S. law. Why is this bad? Because it means that copyright violators in ANY signatory country can be extradited to ANY OTHER signatory country to be prosecuted for copyright violation. It also means that if Red Hat's "non-U.S." readme is read in another signatory country, they can be prosecuted right here in the U.S.!

Current signatory countries include:

Argentina
Belarus
Bulgaria
Burkina Faso
Chile
Colombia
Costa Rica
Croatia
Czech Republic
Ecuador
El Salvador
Gabon
Georgia
Guinea
Honduras
Hungary
Indonesia
Jamaica
Japan
Kyrgyzstan
Latvia
Lithuania
Mali
Mexico
Mongolia
Panama
Paraguay
Peru
Philippines
Republic of Moldova
Romania
Saint Lucia
Senegal
Slovakia
Slovenia
Ukraine
United States of America

I do find it funny that the US and Japan are the only first world countries on the list, and that NO E.U. nations signed it.

[Smile-n-Win]

Red Hat may me making an important mistake here...publishing this information in OTHER countries may not protect them from prosecution.

Well, no U.S. official that respects copyright law can possibly know they published it...

[Smile-n-Win]

Oops, sorry, I didn't read the end of your post. (Still, I don't see how evidence could be presented to a U.S. jury without violating the copyright.)

[Bush2000]

He was convicted of "circumvention of a technological measure used to protect a work", which is the heart of the DMCA. There's also a reference to a second case in Nebraska which involved mod-chipping a Playstation. That answers your original question, "has anyone been prosecuted successfully under this law?"

Sure, but the primary complaint being registered by people on this thread is that they can't even talk or write about security issues. The California and Nebraska cases don't support that theory at all. In both of those cases, the individuals in question implemented copyright workarounds. They weren't merely exercising their right to free speech. It's analogous to talking about how to steal a car and actually doing it.

There aren't any convictions under the "disclosure" interpretation; but remember that Sklyarov was charged with trafficking in circumvention technology, even though he personally distributed no software, only information, and that is what has everyone so concerned about the possibilities.

It may have you concerned; however, disseminating non-copyrighted information is guaranteed by the first amendment. Sklyarov and Elcomsoft, if I understand correctly, actually implemented circumvention technology for Adobe eBooks. Sure, they may have talked about it; however, it was the actual implementation that truly got them in trouble.

[gitmo]

Isn't the United States the country that has that "freedom of speech" thing?

[TechJunkYard]

disseminating non-copyrighted information is guaranteed by the first amendment. Sklyarov and Elcomsoft, if I understand correctly, actually implemented circumvention technology for Adobe eBooks. Sure, they may have talked about it; however, it was the actual implementation that truly got them in trouble.

Okay; I'll agree with you on that point. Elcomsoft clearly manufactured a circumvention tool and distributed it in the United States. My understanding is that Sklyarov's only culpability is that he authored the code. Suppose the government could come after me for some of the tools I wrote ten years ago? Hopefully not, since that pre-dates the DMCA.

But now lets consider the Felten case. SDMI threatened Felten with litigation and prosecution under DMCA if he published / presented his own intellectual property in a public forum. SDMI viewed Felten's freedom of speech as a circumvention device. SDMI subsequently backed off their threat, and the EFF filed suit to have the government restrain itself from using the DMCA to prosecute free speech... which suit was dismissed... the government refused to go on the record about this, even though Felten was assured by DOJ, RIAA and SDMI that he would not be prosecuted for his scientific pursuits.

Would YOU believe such assurances from these characters in the absence of a declarative ruling from a court?

.. the primary complaint being registered by people on this thread is that they can't even talk or write about security issues.

And they might be right! This is a Big Grey Area right now, and nobody wants to be THE test case.