Status of Cryptography Research in implementation of the EUCD

Julian T J Midgley jtjm at xenoclast.org
Wed, 14 Aug 2002 16:02:01 +0100 (BST) 

On Wed, 14 Aug 2002, Owen Lewis wrote:
> (Big snip to get to the nub of the matter).
>
> > What does one do if one finds the structure of a bridge is such
> > that it is
> > likely to fail in normal use?  Refrain from infringing the rights of the
> > owners to continue profiting from teh tolls, and from their high
> > ehgineering
> > reputation, or their intellectual propety rights to the design
> > being thought
> > to be a good one?  I hope not.
>
> As already pointed out at some length, it is hard to find here any principle
> suited to absolute application. One can argue differently according to the
> facts one chooses. That is one reason why I feel there should that there
> should be no absolute privilege above the law (of copyright infringement)
> for 'academic researchers. If such privilege should be granted, why just to
> academics? Who is an academic? Is a Rastafarian only and truly called by a
> vision of God as uniquely revealed in the smoke from a spliff?

Firstly, we are not talking about copyright infringement (an academic who
discovers a weakness in an algorithm used for copy-protection doesn't
necessarily infringe anyone's copyright).

Secondly, the important point is that an algorithm can have numerous uses,
as I attempted to indicate in my early reply.  If the same algorithm is
used both in SSL and in a copy-protection mechanism, a researcher who
discovers a flaw benefits the public greatly by informing them that there
is a flaw in algorithm Foo, and by publishing details of the flaw, enables
someone to fix it (if he cannot fix it himself).  Inadvertently of course,
he publishes information that may be useful to someone wishing to
circumvent the copy-protection mechanism.  Now, even though he didn't
necessarily intend it to "enable or facilitate the circumvention of
effective technological measures", it is apparent that it does so, and
that a spiteful company might seek to have the researcher prosecuted under
296ZB.

The public interest is served by allowing the researcher to publish, and
not leaving him in fear of prosecution.  The company using the algorithm
for copy-protection can release an improved copy-protection scheme, and
should any copyright infringement result from the publication of the flaw,
can go after the perpetrators for infringement in the normal way.

Just to illustrate the risks further - Ross Anderson and the security team
at Cambridge frequently analyse tamper-resistant devices and cryptogrpahic
algorithms used for all manner of purposes, in order to discover
weaknesses, and to propose improvements.  The mere act of circumvention of
a copy-protection mechanism is made civilly actionable by 296ZA,
/regardless/ of the purpose for which it is done, and /regardless/ of
whether any copyright infringement results, or can even possibly result.
Surely there should be some form of protection for non-commercial research
here?

Indeed, it's arguable that there is no need whatever to make an offence
(civil or criminal) of the mere act of cirucmvention.  If the
circumvention doesn't result in infringement and if information enabling
circumvention isn't published then the rightsholder has no complaint
whatever.  If I purchase an engine from you, and take it apart to
determine how it works, you cannot prosecute me for the act of doing so;
why then should you be able to prosecute me for the mere act of
circumvention, when no infringement results?

Julian


-- 
Julian T. J. Midgley                      http://www.xenoclast.org/
Cambridge, England.                          PGP Key ID: 0xBCC7863F