Status of Cryptography Research in implementation of the EUCD

Julian T J Midgley jtjm@xenoclast.org
Wed, 14 Aug 2002 00:09:18 +0100 (BST) 

On Tue, 13 Aug 2002, Owen Lewis wrote:
>
> If X wishes to publish, then his examination should be by consent or, at the
> very least, without the express prohibition of the owner of rights in the IP
> he wishes to examine. Whether copyright implies such a prohibition I leave
> to the lawyers. The matter of terms of user licence may be far less
> debatable.

All interesting stuff, but consider the following case:

Cryptographic algorithm X is released into the public domain, and widely
used for a variety of software (including, for example, email encryption,
or as part of SSL).

Algorithm X, following substantial review, is widely considered to be
secure.

Company Z employs algorithm X as part of its technical protection measure
designed to prevent the piracy of its electronic text/music distribution
scheme, or as part of copy-control protection of software it distributes.

A researcher discovers a previously unknown weakness in algorithm X, and
publishes details of it, in the interests of warning those who are using
it for their secured email or web transactions that it is vulnerable, and
proposes also an amendment to it that fixes the weakness.

Company Z notes that the disclosure of this weakness amounts to
publication of information describing a means of circumventing its
copy-protection mechanism.  If Z has used this mechanism to protect
software, then under section 296 of the amended CDPA 1988, the researcher
may be civilly actionable for publishing information "intended to enable
or assist persons to circumvent that form of copyright protection".

If Z has instead only used it for protecting music or electronic texts,
then, if publishing information is to be considered "providing a service",
the researcher has committed a criminal offence under section 296ZB, for
which he may be imprisoned for either up to three months or two years
(depending on whether the conviction is summary or on indictment).

In neither case, according to the draft amendments to CDPA 1988, is the
researcher afforded any form of immunity as suggested might be his by
paragraph (48) of the preamble to the EUCD.

I would suggest that this is not a matter to be decided by case law at
all.  The EUCD was clearly drafted with the intention that research into
cryptography would not be affected by the provisions dealing with the
circumvention of technical measures, yet the draft implementation of the
EUCD makes no attempt to provide any immunity whatsoever for those engaged
in cryptographic research (or, at least, not as I read it).

Julian

-- 
Julian T. J. Midgley                      http://www.xenoclast.org/
Cambridge, England.                          PGP Key ID: 0xBCC7863F