p2pnet.net News:- Michael Geists’s 30 Days of DRM highlights some of the exceptions and limitations that the government should include if a Canadian DMCA is introduced.

You can also contribute to the discussion through the 30 Days of DRM Wiki.

Below are items 7 through 12.

Go here for items 6 and 5, here for 4 and 3, and here for 2 and 1.

30 Days of DRM – Day 12: Research and Private Study (Circumvention Rights)

Section 29 of the Copyright Act contains one of the most important user rights in Canadian copyright law – fair dealing for the purpose of research or private study does not infringe copyright. For many years, this provision was narrowly defined such that the education and library communities adopted relatively conservative approaches to defining what constituted fair dealing. In recent years, however, Canada has experienced a dramatic shift in the vibrance and importance of fair dealing. In a trio of cases, the Supreme Court of Canada strongly affirmed the need for balance in Canadian copyright law. The shift began in the Theberge, where Justice Binnie, in discussing the copyright balance, stated that:

The proper balance among these and other public policy objectives lies not only in recognizing the creator’s rights but in giving due weight to their limited nature. In crassly economic terms it would be as inefficient to overcompensate artists and authors for the right of reproduction as it would be self-defeating to undercompensate them. Once an authorized copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it.

Excessive control by holders of copyrights and other forms of intellectual property may unduly limit the ability of the public domain to incorporate and embellish creative innovation in the long-term interests of society as a whole, or create practical obstacles to proper utilization. This is reflected in the exceptions to copyright infringement enumerated in ss. 29 to 32.2, which seek to protect the public domain in traditional ways such as fair dealing for the purpose of criticism or review and to add new protections to reflect new technology, such as limited computer program reproduction and “ephemeral recordings” in connection with live performances.

Having affirmed the need for balance in Canadian copyright, a unanimous Supreme Court then proceeded to elevate the importance associated with the exceptions to copyright infringement in the CCH Canadian v. LSUC by describing them as user rights. Justice McLachlin stated:

the fair dealing exception is perhaps more properly understood as an integral part of the Copyright Act than simply a defence. Any act falling within the fair dealing exception will not be an infringement of copyright. The fair dealing exception, like other exceptions in the Copyright Act, is a user’s right. In order to maintain the proper balance between the rights of a copyright owner and users’ interests, it must not be interpreted restrictively.

Moreover:

The fair dealing exception under s. 29 is open to those who can show that their dealings with a copyrighted work were for the purpose of research or private study. “Research” must be given a large and liberal interpretation in order to ensure that users’ rights are not unduly constrained. I agree with the Court of Appeal that research is not limited to non-commercial or private contexts.

With copyright balance and the importance of user rights established beyond doubt, the creation of anti-circumvention legislation that fails to adequately preserve that balance, including user rights, should properly be seen as directly undermining the very foundation of copyright law in Canada. Bill C-60 sought to maintain that balance by linking circumvention to copyright infringement, so that someone who circumvented a TPM could argue that they did not do so for the purpose of copyright infringement if their intended purpose was covered by fair dealing.

If Canada moves toward a U.S. DMCA-style approach, however, circumventing a TPM for research and private study would constitute infringement. Indeed, U.S. cases such as RealNetworks v. Streambox leave little doubt that fair use (the U.S. equivalent to Canada’s fair dealing) can be eliminated through an anti-circumvention provision. In doing so, it would, in the words of the Chief Justice, unduly constrain user rights (not to mention harm federal-provincial relations given that education is a provincial matter). Accordingly, a specific circumvention right for research and private study as covered by the fair dealing provision will be needed to preserve a right that Canada’s highest court has described as an “integral part of the Copyright Act.”

30 Days of DRM – Day 11: Involuntary Installation of Software (Circumvention Rights)

Yesterday’s post addressed the negative impact of anti-circumvention legislation on security research. There is another security issue that merits discussion – the involuntary installation of software that may constitute a personal security threat to individual computer users. Such software is frequently classified as spyware – software programs that are placed on users’ computers without their informed consent that proceed to cause havoc by compromising personal information, posing an identity theft risk, sending spam, and infecting other computers.

While spyware can worm its way onto a personal computer in many different ways, inclusion within a DRM is a possibility. The best-known example of the DRM-spyware connection is last year’s Sony rootkit fiasco.

The Sony case started innocently enough with a Halloween-day blog posting by Mark Russinovich, an intrepid computer security researcher. Russinovich discovered his own tale of horror – Sony was using a copy-protection TPM on some of its CDs that quietly installed a software program known as a “rootkit” on users’ computers. The use of the rootkit set off alarm bells for Russinovich, who immediately identified it as a potential security risk since hackers and virus writers frequently exploit such programs to turn personal computers into “zombies” that can send millions of spam messages, steal personal information, or launch denial of service attacks. Moreover, attempts to uninstall the program proved difficult, as either his CD-Rom drive was no longer recognized or his computer crashed.

While Sony and the normally vocal recording industry associations stood largely silent – a company executive dismissed the concerns stating that “most people don’t even know what a rootkit is, so why should they care about it” – the repercussions escalated daily. There were dozens of affected CDs, including releases from Canadian artists Celine Dion and Our Lady Peace. Class action lawsuits were launched in the United States and Canada, a criminal investigation began in Italy, and anti-spyware companies gradually updated their programs to include the Sony rootkit. Researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.

The Sony case provides a vivid illustration of how TPMs can create real security and privacy risks. The U.S. Computer Emergency Response Team, which was jointly established in 2003 by the U.S. government and the private sector to protect the Internet infrastructure from cyber-attacks, advised users that they should not “install software from sources that you do not expect to contain software, such as an audio CD.” Moreover, Stewart Baker, the U.S. Department of Homeland Security’s assistant secretary of policy, admonished the music industry, reminding them that “it’s very important to remember that it’s your intellectual property – it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”

Baker is right, but governments that enact anti-circumvention legislation must share in the blame. Not only do these policies encourage DRM use, but they also pose a security threat since the simple act of circumventing a TPM to stop DRM-supported spyware on a personal computer may violate the law. It should be beyond doubt that people should have the right to circumvent to protect their own personal security against software that is installed involuntarily without their informed consent. Indeed, the Australian parliamentary committee investigating TPM exceptions reached the same conclusion, recommending an exception for “circumvention for software installed involuntarily or without acceptance, or where the user has no awareness a TPM or no reasonable control over the presence of a TPM.” Canadians deserve no less.

30 Days of DRM – Day 10: Security Research (Circumvention Rights)

Given the priority currently accorded to security concerns, it is difficult to understand how any government would be willing to undermine security in the name of copyright. That is precisely what has occurred in the United States, however, where computer security researchers have faced a significant chilling effect on their research due to legal threats from the DMCA. The U.S. cases are fairly well known: they include Princeton professor Edward Felten facing a potential suit from the RIAA when he planned to disclose his research findings in identifying the weaknesses of an encryption program and Dmitri Sklyarov, a Russian software programmer, spending a summer in jail after presenting a paper at a conference in Las Vegas that described his company’s program that defeated the encryption on the Adobe eReader.

Even more compelling are recent comments from Professor Felten at a conference at the University of Michigan.

Felten told attendees that for every two hours he spends researching in the lab, he spends one hour with lawyers discussing what he can and cannot reveal in his research. Moreover, he advised that he has self-censored every research paper (with the exception of his work that brought the legal threats from the RIAA) and that he was aware of the Sony rootkit threat months before it was publicly disclosed but did not break that story due to legal concerns. In light of these events, Felten acknowledged that many potential security research scientists were choosing alternative career paths in order to avoid the legal hassles now associated with computer security research.

These same concerns were echoed in Canada in a 2005 letter from the Digital Security Coalition to the then-Ministers of Canadian Heritage and Industry. The letter noted that:

Understand that the science and business of digital security implicates the practical application of circumvention technologies. To understand security threats, researchers must understand security weaknesses. We are not in the business of circumventing technological safeguards for the purposes of exploiting the weaknesses we find; rather, we are in the businesses of finding and addressing those weaknesses.

Security weaknesses are best found – and addressed – when a variety of security researchers examine a platform or application. The odds of one party devising the best response to a security issue are slim; the likelihood of an optimal response improves significantly when a community of security researchers has the opportunity to examine and test a platform or application. Anti-circumvention laws throw a shroud of legal risk over that community, and dampen security research at the edges. Simply, anti-circumvention laws that provide for excessive control make for bad security policy.

Any new legislation must ensure that researchers and the companies typified by the Digital Security Coalition (which include Canadian leaders such as Third Brigade, Certicom, and Borderware Technologies) are free to conduct their work and to publish their results without fear of legal threats arising from anti-circumvention provisions. If Canada is to establish a U.S.-style DMCA, it must include an explicit circumvention right that covers security research (both the activity and its dissemination) in academic and commercial settings.

30 Days of DRM – Day 09: Reverse Engineering (Circumvention Rights)

The inclusion of a reverse engineering circumvention right is another obvious necessary provision. Reverse engineering is described by the Chilling Effects site as follows:

Reverse engineering is the scientific method of taking something apart in order to figure out how it works. Reverse engineering has been used by innovators to determine a product’s structure in order to develop competing or interoperable products. Reverse engineering is also an invaluable teaching tool used by researchers, academics and students in many disciplines, who reverse engineer technology to discover, and learn from, its structure and design.

The need for a reverse engineering provision therefore follows from some of the discussion last week – it is pro-competitive as it facilitates the creation of compatible devices as well as greater competition in the marketplace.

While there may be general agreement on the need for a reverse engineering provision, it is essential that Canada avoid the U.S. DMCA approach which has been widely criticized for being too limited in scope and thus woefully ineffective.

The DMCA allows software developers to circumvent TPMs of lawfully obtained computer programs, but in order to benefit from the provision, developers must seek permission first, must limit their activity strictly to interoperability, and cannot “traffic” in devices that would allow for circumvention (in other words, the tools need to circumvent may be unavailable). Moreover, the provision is limited solely to computer programs, thereby excluding TPMs associated with network protocols or hardware devices. The ineffectiveness of the reverse engineering provision has been borne out by caselaw – both the DeCSS case and the Blizzard case, which both involved interoperability issues, rejected attempts to use the DMCA’s reverse engineering provision.

In addition to the need for a broadly worded circumvention right, Canadian copyright law would also benefit from an explicit right of reverse engineering. The act of reverse engineering may well be covered by fair dealing given the expansive approach adopted by the Supreme Court of Canada in the CCH decision, however, there remains some element of risk in relying solely on the fair dealing user right. To remove that innovation inhibiting risk, Canada should expand fair dealing so that the current categories are deemed illustrative rather than exhaustive or, alternatively, establish an explicit reverse engineering user right.

Not surprisingly, the reverse engineering issue has garnered attention from Canada’s security industry. The Digital Security Coalition, comprised of some of Canada’s leading digital security companies, has written a public letter to the Ministers of Industry and Canadian Heritage emphasizing the importance of reverse engineering. It warns against anti-circumvention legislation and calls for explicit protection for reverse engineering within the Copyright Act.

30 Days of DRM – Day 08: Privacy (Circumvention Rights)

Today’s post kicks off the heart of the 30 Days of DRM series – circumvention rights. Circumvention rights are necessary since everyone agrees that an absolute anti-circumvention provision (ie. circumvention prohibited in all circumstances) is unworkable. There are instances where such a prohibition would result in significant costs by precluding beneficial activities, creating “unintended consequences”, and lead to significant harm to the public. Indeed, the DMCA itself includes several narrow exceptions to the general anti-circumvention rule.

The approach in Bill C-60 was to limit (the government believed eliminate) the need for circumvention rights by creating a direct link between circumvention and copyright. Bill C-60 only made it an offence to circumvent a technological measure for the purposes of copyright infringement. In other words, if you had another purpose – for example, protecting your personal privacy – the anti-circumvention provision would not be triggered.

If the new copyright bill adopts a U.S. style approach, then a crucial part of the discussion will be whether the government has identified all the necessary rights to limit the harms associated with anti-circumvention legislation. While these rights might be characterized by some as exceptions, I think they are more appropriately viewed as circumvention rights, analogous to the Supreme Court of Canada’s emphasis on user rights.

Privacy protection is an obvious example of a circumvention right.

---

p2pnet newsfeeds for your site.

rss feed: http://p2pnet.net/p2p.rss
Mobile – http://p2pnet.net/index-wml.php

This entry was posted on Wednesday, August 30th, 2006 at 2:22 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2346 times