Status of Cryptography Research in implementation of the EUCD

Owen Lewis oml at sysrx.uk.com
Wed, 14 Aug 2002 11:55:14 +0100 

More substantially answered in another post.

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T J
> Midgley
> Sent: 14 August 2002 00:09
> To: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Status of Cryptography Research in implementation of the
> EUCD
>
> Algorithm X, following substantial review, is widely considered to be
> secure.
>
> Company Z employs algorithm X as part of its technical protection measure
> designed to prevent the piracy of its electronic text/music distribution
> scheme, or as part of copy-control protection of software it distributes.
>
> A researcher discovers a previously unknown weakness in algorithm X, and
> publishes details of it, in the interests of warning those who are using
> it for their secured email or web transactions that it is vulnerable, and
> proposes also an amendment to it that fixes the weakness.

This is only a minor elaboration of the of example that co-incidentally I
used elsewhere today. Therefore, I think we are agreed at least on what it
is we are discussing. Always helpful but not always so certain in this type
of discussion. :-)

My point (made elsewhere) is that unauthorised publication serves no
imperative of 'public good' and damages, to some greater or lesser extent,
the rights of others.

> Company Z notes that the disclosure of this weakness amounts to
> publication of information describing a means of circumventing its
> copy-protection mechanism.  If Z has used this mechanism to protect
> software, then under section 296 of the amended CDPA 1988, the researcher
> may be civilly actionable for publishing information "intended to enable
> or assist persons to circumvent that form of copyright protection".

On the basis of what I presently know, I'd say that was the preferable
course.

> If Z has instead only used it for protecting music or electronic texts,
> then, if publishing information is to be considered "providing a service",
> the researcher has committed a criminal offence under section 296ZB, for
> which he may be imprisoned for either up to three months or two years
> (depending on whether the conviction is summary or on indictment).
>
> In neither case, according to the draft amendments to CDPA 1988, is the
> researcher afforded any form of immunity as suggested might be his by
> paragraph (48) of the preamble to the EUCD.

The principle of de minimis (sadly ignored in recent years) should be
invoked to provide de facto immunity from prosecution for the act of
research. No such immunity should be extended to the unauthorised
publication of successful hacks.

As an aside, one reflects of the differences between pure and applied
research. Here, we are not discussing the former, I think, but only the
latter. The latter must be bound by the law as and when it adversely affects
the lawful right of others.

> I would suggest that this is not a matter to be decided by case law at
> all.  The EUCD was clearly drafted with the intention that research into
> cryptography would not be affected by the provisions dealing with the
> circumvention of technical measures, yet the draft implementation of the
> EUCD makes no attempt to provide any immunity whatsoever for those engaged
> in cryptographic research (or, at least, not as I read it).

If the intention was as you believe it to be, then I think that intention
was mistaken. Academic freedom (or any other freedom) is laudable, just so
long as it is not so proudful as to wish to trample into the dust the rights
of others.

Owen