Status of Cryptography Research in implementation of the EUCD
Julian T J Midgley
jtjm at xenoclast.org
Thu, 15 Aug 2002 13:33:24 +0100 (BST)
On Wed, 14 Aug 2002, Owen Lewis wrote:
>
>
> > -----Original Message-----
> > From: ukcrypto-admin@chiark.greenend.org.uk
> > [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Julian T J
> > Midgley
> > Sent: 14 August 2002 17:51
> > To: ukcrypto@chiark.greenend.org.uk
> > Subject: Re: Status of Cryptography Research in implementation of the
> > EUCD
> >
> > Owen's point (that arbitrary groups shouldn't be placed above the law) is
> > a reasonable one, and generally true. However, in the case when the law
> > being implemented is neither strictly necessary[0], nor a particularly
> > good one, there are valid reasons for exemptions for certain activities.
>
> For the moment, let me accept unchallenged your opinions that the law is
> neither "strictly necessary" nor "particularly good". If this is true then,
> surely, strike at the law! Do not weasel word some special case exemption
> from it. Bad law is bad law. A confusion of aims?
It is not possible to strike directly at the law (at this stage), since it
has been passed as a European Directive, and if the UK fails to implement
it, the country could find itself in breach of the Treaty of Rome.
Therefore, the sensible thing to do at this point is to ensure that is
implemented in a compliant fashion in a way that does as little harm as
possible. Later, one might attempt to have the whole thing overturned,
although this would scarcely be an easy task.
> > Indeed, the traditional law of copyright is full of such exemptions,
> > classed together under the heading of "fair dealing", for example, and the
> > different set of rules that apply to librarians, those making copies for
> > the purposes of instruction or examination, etc.
>
> These (and many other exemptions in law - see the DPA) are an incorporation
> of de minimis, doubtless in case some should be so hasty as to otherwise
> ignore it. Sad really.
>
> Publication of a hack is not essentially de minimis though the research upon
> which it is based may well be. The effects of publication may be harmful and
> wide spread.
> >
> > So I find Owen's dismissal of the right of academics to exemptions from
> > the proposed laws on circumvention somewhat glib.
>
> Make sure we are clear on who is glib. It is the publication and not the
> research which should be restrained by law.
You have surely noticed that it is the usual practice of academics to
publish details of their research? Academic discussion is rather severely
hampered if no publication can occur, since publication is essential both
to the process of discussion and to establishing the reputation of the
academic.
As far as an academic is concerned (and those practising academics on this
list should feel free to correct me if I am wrong), research without
publication is very nearly pointless.
If researcher A can only say to researcher B (or to the academic community
at large) "I discovered a flaw in copy-protection scheme Foo yesterday,
but am forbidden from telling you what it is", and researcher B (or anyone
wishing to discuss the matter further), must independently discover the
same flaw before they can even begin to discuss improvements, then
progress will be glacially slow.
> Your persistent elision of the
> two in argument may be reminiscent of the spiel of a 'find the lady'
> cardsharp but it is truly of little effect.
It is absolutely nothing of the sort. Find me an academic who labours on
research but never publishes details of what he has done...
>
>
> Repetition becomes tedious. Cryptographic research as with all other human
> activity should not be hindered but trammelled by the law. In sum, the law
> will act to impede (or punish) as and when practitioners choose to break any
> of the myriad parts of it in some significant way; when it is public
> knowledge that they have broken the law; when they have cause harm by
> publication. Tsk. Commonsense surely leads you to accept that no activity
> or its practitioners can be placed outside the law? What is the principle
> you would defend or feel should be preferred?
It may or may not have escaped your notice that a professor Felten was
threatened with prosecution under the DMCA last year because he announced
that he intended to publish a paper disclosing flaws in an as-yet
undeployed watermarking scheme. The publication of his work benefits both
society and the company selling the scheme, since it alerts them to the
fact that it is flawed, (and may thus be broken by pirates), and prevents
any creative sorts from labouring under the misapprehension that their
work would be protected were they to pay for it to be distributed using
the scheme. However, in the interests of not having to do more work to
produce a better scheme, the company concerned try to prevent publication
by threatening to sue. They have since backed down, after Felten try to
sue both the company and the US Government for violating his First
Amendment rights...
As a result of this and the Sklyarov case, several academics have been
hesitant about publishing their research, for fear of prosecution. In the
same way that we provide librarians with exemptions in order to allow them
to do their jobs, we should provide also for academics. Suitable
exemptions need not amount to complete immunity from prosecution (the
academic who deliberately publishes a exploit enabling anyone to
circumvent a copy-protection scheme might deserve punishment, but he who
merely publishes details of the flaw (requiring someone else to write an
exploit) might benefit from an exemption). There could be guidelines for
publication (potentially including the requirement to give the manufacture
of the cirumvented protection some warning before publication), but I see
no reason (nor have I seen you advance any) for insisting that academics
live in constant fear of prosecution if their work happens to involve
something that someone else construes to be a copy-protection mechanism.
Julian
--
Julian T. J. Midgley http://www.xenoclast.org/
Cambridge, England. PGP Key ID: 0xBCC7863F