Status of Cryptography Research in implementation of the EUCD

Julian T. J. Midgley jtjm@xenoclast.org
Tue, 13 Aug 2002 18:07:35 +0100 (BST) 

According to paragraph (48)[0] of the preamble of the European Union
Copyright Directive[1], the anti-circumvention provisions of the Directive
are not meant to interfere with cryptography research.

However, having read the draft implementation[2] carefully, I can't see
any indication that it contains any protection against prosecution for
cryptographic researchers.  Interestingly, although the preamble of the
Directive itself expresses the intent not to hinder research, the
Directive also contains no provisions that would ensure this.

Section 296ZD of the draft implementation allows academics who can't gain
access to a work due to its protection by a technological measure to
appeal to the Secretary of State for such access, but this concerns only
obtaining access, not obtaining permission to circumvent the protection
itself.

As I see it, an academic who found a flaw in a copy-protection scheme and
published details of the flaw, could be actionable under section 296ZA for
circumventing the technological measure, and potentially also under 296ZB
for publishing details of how to circumvent it.  The latter is more
questionable, however, and depends on whether or not publishing
information constitutes "providing a service" as far as the law is
concerned.  Advice from any of the lawyers resident on this list would be
much appreciated on this point.

I cannot find anything either in the draft implementation, or in the
original CDPA 1988[3] that would protect a cryptographic researcher from
prosecution.  If so, we have at least one point on which we can press the
Patent Office for a positive amendment to their draft.

Julian Midgley


[0] Paragraph 48 of the EUCD:

(48) Such legal protection should be provided in respect of technological
measures that effectively restrict acts not authorised by the rightholders
of any copyright, rights related to copyright or the sui generis right in
databases without, however, preventing the normal operation of electronic
equipment and its technological development. Such legal protection implies
no obligation to design devices, products, components or services to
correspond to technological measures, so long as such device, product,
component or service does not otherwise fall under the prohibition of
Article 6. Such legal protection should respect proportionality and should
not prohibit those devices or activities which have a commercially
significant purpose or use other than to circumvent the technical
protection. In particular, this protection should not hinder research into
cryptography.

[1] EUCD:
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&numdoc=32001L0029&lg=EN

[2] Draft implementation of the EUCD:
http://www.patent.gov.uk/about/consultations/eccopyright/index.htm

[3] Copyright Design and Patents Act 1988:
http://www.hmso.gov.uk/acts/acts1988/Ukpga_19880048_en_1.htm

-- 
Julian T. J. Midgley                      http://www.xenoclast.org/
Cambridge, England.                          PGP Key ID: 0xBCC7863F