Status of Cryptography Research in implementation of the EUCD

Owen Lewis oml at sysrx.uk.com
Tue, 13 Aug 2002 20:43:22 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T. J.
> Midgley
> Sent: 13 August 2002 18:08
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Status of Cryptography Research in implementation of the EUCD
>
>
> As I see it, an academic who found a flaw in a copy-protection scheme and
> published details of the flaw, could be actionable under section 296ZA for
> circumventing the technological measure, and potentially also under 296ZB
> for publishing details of how to circumvent it.  The latter is more
> questionable, however, and depends on whether or not publishing
> information constitutes "providing a service" as far as the law is
> concerned.  Advice from any of the lawyers resident on this list would be
> much appreciated on this point.

Just a few thoughts.

Is it a given that the 'academic' is not under any form of NDA and nor has
he obtained his information through breach of licence terms etc.?

How then is his finding a flaw or publishing what he finds to be actionable?
The information upon which he comments is made freely available and his
opinion (right or wrong) is his own.

However, if to do his work, he has to first obtain information which is not
freely given (published or otherwise given without conditions) then he might
well have (at least one) problem and perhaps rightly so.

I'm not sure that this matter can be sensibly discussed as a matter of
general principle. Rather, each case will turn on its facts.

In the particular case of cryptography, lets look briefly at two optional
cases:

	1.	Dr X devises a cipher and puts the source code on his open web site or
publishes it in a book. Dr Y then comes along and publishes an elegant
commentary, describing how and why Dr X's brainchild is The Emperor's New
Clothes. Fair enough, surely?

	2. Company A devises a program which incorporates one or more proprietary
cryptographic routines. It widely licences this program but does not reveal
its source code and licensed users agree to abide by the terms of the
licence among which are specific agreement not to disassemble, reverse
engineer etc. This may put Dr Y in a difficult position if he wishes.
lawfully, to first obtain the information he needs and upon which to perform
tests and other analysis to develop an opinion on the worth of the security
protection offered?  N.B. If the main purpose of the program is the security
of information and A makes it generally available without publishing the
source code for peer examination, well, A is really not going to sell too
many copies, now is it? :-)

In case 2, clearly, it is in Company A's financial interest to see that Dr Y
may not lawfully trash their USD n10^6 investment. Conversely, it may both
advance the career prospects of Dr Y and provide some public service if Dr Y
can point out flaws. But, in common sense, equity in the matter is far from
certain (to me at least) without a much better knowledge of all the facts of
the particular case.

Has Y acted lawfully in obtaining the information that he then criticises?
If he has not then, surely, in publishing his findings he simply draws
attention to his unlawful act(s)?

Y does have an alternative (though it too may be not strictly lawful). In
his search for knowledge, he can take a copy of A's program under the
bedclothes, so to speak, break it open and dissect its entrails. He will
then know more than he did before and be a wiser man. He may use his
increased wisdom in many beneficial ways; to further the education of
others; to develop improved routines of his own that will better serve the
public good; to help others falling into similar error to that of A. But,
for safety, he needs to forgo all publicity that will spotlight his unlawful
act (if any) and to keep the exact source(s) of his wisdom to himself.

All this all brings to mind an image of 19th Cent doctors learning their
anatomy and developing their dissective skills on corpses unlawfully
obtained. Plus ca change...

If X wishes to publish, then his examination should be by consent or, at the
very least, without the express prohibition of the owner of rights in the IP
he wishes to examine. Whether copyright implies such a prohibition I leave
to the lawyers. The matter of terms of user licence may be far less
debatable.

Owen