Re: Linux 2.2.20pre10

From: Tudor Bosman (tudorb@pikka.net)
Date: Mon Oct 22 2001 - 14:14:47 EST


OK, let's get the disclaimer out of the way. This post is opinionated,
and IANAL. Now...

For reference, here is the full text of the DMCA subsection in question:
(1201(2)):

 ``(2) No person shall manufacture, import, offer to the public,
provide, or otherwise traffic in any technology, product, service,
device, component, or part thereof, that-

          ``(A) is primarily designed or produced for the purpose
    of circumventing a technological measure that effectively con-
    trols access to a work protected under this title;
          ``(B) has only limited commercially significant purpose or
    use other than to circumvent a technological measure that
    effectively controls access to a work protected under this title;
    or
          ``(C) is marketed by that person or another acting in concert
    with that person with that person's knowledge for use in cir-
    cumventing a technological measure that effectively controls
    access to a work protected under this title.

I would like to comment on this from two different angles.

1. The subsection mentions "any technology, product, service, device,
component, or part thereof". While this definition is vague, and we
hackers tend to like splitting hairs (see Dave Touretzky's DeCSS
gallery, http://www-2.cs.cmu.edu/~dst/DeCSS/Gallery/index.html), there
is a clear distinction between (constitutionally-protected) speech (in a
non-machine readable) form, and a software product. Other forms of
expression (source code, non-machine readable source code, source code
set to music, etc.) lie on the fine line between the two.

For example, exporting PGP on paper and OCR-ing it (because exporting it
in electronic form was illegal) was a legal absurdity. While this
hair-splitting might have amused a few lawyers and judges here and
there, I believe that a well-versed attorney could have torn that
defense to pieces, because we tried drawing demarcation lines instead of
concentrating on defeating the spirit of the law.

The above-mentioned paragraphs make no reference to "information" or a
"description" of such a circumvention device. A high-level description
(in plain English) of a security hole is not a "technology, product,
service, device, component, or part thereof"; and if it can be construed
as such, surely the realization of such description (the source code
itself) is much closer to the notion of a "product". Is this the end of
full disclosure and open source/free software? Should BUGTRAQ be banned
from US residents?

2. The arguments for/against publishing the description of the security
hole in the DMCA context are the same as the arguments for/against full
disclosure in the security field in general. IF the description were
published, then... (paraphrasing the three DMCA paragraphs I cited)

(A) it would NOT be primarily designed for circumventing a technological
measure that effectively controls access to a protected work- it would
be primarily designed for informing system administrators of their risks
and the importance of the patch, and informing developers of pitfalls to
avoid in writing new code;

(B) it would have a LARGE commercially significant purpose other than to
circumvent a technological measure that effectively controls access to a
protected work- the main purpose would be to urge system administrators
and developers to implement a higher degree of protection (at the very
least, apply the patch), and

(C) it would NOT be marketed by Alan Cox or another acting in concert
with him for use in circumventing a technological measure that
effectively controls access to a protected work- this is a no-brainer, I
don't think there are many people on this list who openly advocate
exploiting security holes for gaining unauthorized access.

In conclusion, I tried to make two points in the above rant:

1. A description of a security hole is constitutionally protected
speech, and as such cannot be construed as violating the sections of the
DMCA. If such description fits the definition of "technology, product,
service, device, component, or part thereof", then we're in big trouble,
because source code itself is much closer to the definition of a
"product" than a description of the source code.

2. A description of a security hole, or unpatched source code, or even
exploit code do not meet the criteria set forward by the DMCA for
illegal circumvention devices.

Best regards,

Tudor.

-- 
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."
        - Benjamin Franklin, Historical Review of Pennsylvania, 1759.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Tue Oct 23 2001 - 21:00:32 EST