Status of Cryptography Research in implementation of the EUCD

[Graham Murray]

Julian T J Midgley <jtjm@xenoclast.org> writes:

> Cryptographic algorithm X is released into the public domain, and widely
> used for a variety of software (including, for example, email encryption,
> or as part of SSL).
>
> Algorithm X, following substantial review, is widely considered to be
> secure.
>
> Company Z employs algorithm X as part of its technical protection measure
> designed to prevent the piracy of its electronic text/music distribution
> scheme, or as part of copy-control protection of software it distributes.
>
> A researcher discovers a previously unknown weakness in algorithm X, and
> publishes details of it, in the interests of warning those who are using
> it for their secured email or web transactions that it is vulnerable, and
> proposes also an amendment to it that fixes the weakness.
>
> Company Z notes that the disclosure of this weakness amounts to
> publication of information describing a means of circumventing its
> copy-protection mechanism.  If Z has used this mechanism to protect
> software, then under section 296 of the amended CDPA 1988, the researcher
> may be civilly actionable for publishing information "intended to enable
> or assist persons to circumvent that form of copyright protection".

How does Z prove that the information is  "*intended* to enable or
assist ..". It should be much easier for the researcher to show that
the intention of publication is intended to increase the security of
email and web users than for Z to show the intention to assist
breaking the copy protection. That assumes that Z could even
demonstrate that the researcher even knew that Z used X as part of
its copy protection.