Status of Cryptography Research in implementation of the EUCD

Owen Lewis oml at sysrx.uk.com
Wed, 14 Aug 2002 11:55:13 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T J
> Midgley
> Sent: 14 August 2002 00:14
> To: ukcrypto@chiark.greenend.org.uk
> Subject: RE: Status of Cryptography Research in implementation of the
> EUCD
>
>
> >
> > Is it a given that the 'academic' is not under any form of NDA
> and nor has
> > he obtained his information through breach of licence terms etc.?
> >
> > How then is his finding a flaw or publishing what he finds to
> be actionable?
> > The information upon which he comments is made freely available and his
> > opinion (right or wrong) is his own.
>
> (Just to answer this particular question:)
>
> Have you read the draft implementation of the copyright directive?

To answer a question with a question, one must surely be Irish? :-)
>
> In the case where the academic publishes information concerning an
> algorithm that is used to copy-protect a computer program, the
> implementation is quite clear- I quote:
>
> "296.(1) This section applies where copies of a computer program are
> issued
> to the public, by or with the licence of the copyright owner, in an
> electronic form which is copy-protected.
>
> (2) The person issuing the copies to the public has the same rights
> against a person who, knowing or having reason to believe that it will be
> used to make infringing copies
>
> (a) makes, imports, sells or lets for hire, offers or exposes for sale or
> hire, or advertises for sale or hire, or possesses in the course of a
> business any device or means specifically designed or adapted to
> circumvent the form of copy-protection employed, or
>
> (b) publishes information intended to enable or assist persons to
> circumvent that form of copy-protection,
>
> as a copyright owner has in respect of an infringement of copyright."

Thank you. That's clear enough, isn't it?
>
> It does not matter whether or not the copy-protection mechanism comes with
> a licence agreement forbidding its circumvention - the law of copyright
> will apply regardless...

An algorithm is paid for and employed by the copyright holder as a means to
diminish his risk that others will not steal what is his. As a wise man he
expects no cast iron warranty that the  protection can under no
circumstances be defeated. Rather,  than placing his fate in the pockets of
expensive lawyers he intends, by using the algorithm, to raise the level of
difficulty it copying his work to a point where would-be thieves simply turn
elsewhere. This is exactly the same logic as determines most levels of
security provision, in which the aim is to diminish risk rather than to
abolish it altogether.

Now, Y comes along and (most certainly in breach of terms of licence)
develops a means of circumventing A's copy protection scheme and publishes
it. The act of publication, not the developing of the method, is, in my
view, tantamount to a breach of copyright since it supplies information from
which that only those who would steal can profit directly.

Let's be clear here. There may be three discrete set of interest. Company
A's, Dr Y's and those who may protect value for themselves through the use
under terms of licence of A's copy protection scheme. There is no public
interest, per se, beyond the patent public good in having laws that punish
theft or the aiding and abetting of theft.

If Y publishes openly, it can be argued strongly that the only party who
stands to gain other than thieves is Y and that it is quite wrong that he
should be allowed to do so at the expense of direct loss caused to others.

I must also declare a personal interest. I am the majority shareholder and
sole director of a company that sells software products into a specialist
niche market. The cost of single licences runs into four figures and we are
well aware that we sell into some markets where illegal copying software is
seen as a God-given right (whatever the law may say) and where any form of
copy protection is equally believed to be a challenge to manhood which must
be overcome.

For nine years we have licensed a method of copy protection (in various
versions) from a specialist provider and used this method on our products.
In this time, we have had two clear and determined attempts to hack a copy
of one of our programs and there have been two or three borderline cases.
Our market is small enough for me to be certain, over such a time period,
that no party has successfully hacked our programs for the purpose of the
sale of fake or re-badged copies. I am equally certain that a company as
small as mine in a global marketplace would have been stolen blind years ago
without the use of a good-ish copy protection scheme.

The copy protection scheme need *not* be perfect. It needs to be sufficient
to make the effort in breaking it non-cost effective plus some margin to
cope with the merely unreasonably vain (who, by definition, have to be less
talented than they believe themselves to be).

So, how can we benefit from the expert attention of Y to the copy protection
scheme we use?

If Y does his own thing and publishes openly:

	-	The company who licences us their method loses.

	-	My company (and other companies like me) lose far more.

	-	The licensees of my companies products and the licences of all other
products of other companies that are similarly protected stand also to lose.

The only winners are Y, whose reward for publication will be kudos and
improved employment opportunities, and the thieves who profit hugely from
the information published.

It needs to be said again that Y serves no imperative of 'public good' by
publication. Indeed, any good he might be able to do through his discovery
may be nullified by publication.

On the evidence available, I think that the move to rank *unauthorised
publication* of a method to hack copy protection pari passu with a breach of
copyright must be correct and should be supported. This does not mean that I
think that Y should be absolutely prevented from doing such research, though
it may mean that he (and others) can only legitimately profit from it
indirectly.

Owen