Request for Comments on Section 1201(g) of the Digital Millennium Copyright Act

AGENCIES: The National Telecommunications and Information Administration,
United States Department of Commerce; and the United States Copyright Office,
Library of Congress

ACTION: Request for Public Comment

COMMENTS RECEIVED JULY 26, 1999

FROM: bobbys@prodigy.net

ACTION: Request for Public Comment

SUMMARY: The National Telecommunications and Information Administration of the United States Department of Commerce and the United States Copyright Office invite interested parties to submit comments on the effects of Section 1201(g) of Title 17, United States Code, as adopted in the Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860 (Oct. 28,1998) ("DMCA") on encryption research and the development of encryption technology; the adequacy and effectiveness of technological measures designed to protect copyrighted works; and the protection of copyright owners against unauthorized access to their encrypted copyrighted works.
 

COMMENTS:

1. I believe this proposed code addition needs wider public exposure for consideration.

2. Why didn't we didn't use this same approach to low observable (stealth) technology, we could have saved a fortune. The United States could have simply painted all of it's aircraft yellow. We would have negotiated a treaty with the world and ordered our citizens to abide to the same agreement, not to notice yellow airplanes. Then if(when) someone shot down one of our yellow airplanes it would not only be considered an act of war, but we could fine them too. Don't forget to outlaw the Blueblocker type sunglasses.

3. There are already legal protections for copyrighted work. Let encryption methods stand on their own merits and they will progress as the need and market does.

4. Got to love how that technologically poor excuse for protection we now have makes the movies I rent flicker, oh please let me pay more for any new equipment that can do worse.

I find this slow intensity modulation so annoying that without the availability of signal boosting amplifiers that were sometimes considered illegal, these "original" videos would have been unwatchable and certainly less enjoyable. If you legislate junk I won't purchase it.

5. I wonder if this idea is from the same folks who raised our taxes and usage fees by

$ 9,000,000,000 while describing it as " revenue enhancing spectrum auctions " ?

July 12, 1999

Paula J. Bruening
Office of Chief Counsel
National Telecommunications and Information Administration (NTIA)
Room 4713
U.S. Department of Commerce
14th Street and Constitution Avenue N.W.
Washington, DC 20230

and

Jesse M. Feder
Office of Policy and International Affairs
U.S. Copyright Office
Copyright GC/I&R
P.O. Box 70400 Southwest Station
Washington, D.C. 20024

Dear Sir and Madam:

Thank you for the opportunity to comment on the effects on encryption research of the Digital Millennium Copyright Act.

I am presently employed in the field of cryptography. I design and implement cryptographic algorithms for the software libraries used by my employer, Network Associates, Inc. NAI is one of the largest companies providing cryptographic software in the United States, particularly the well known encryption program, PGP.

Encryption is a crucially important technology as we enter the 21^st century. As we move into a world of electronic communications, cryptography is becoming the primary tool for controlling the flow and dissemination of information. It is necessary that research in this area continue unfettered so that we know what is possible and, more importantly, where we are failing to achieve our goals.

It appears that the DMCA may have a very unfortunate chilling effect on cryptographic research. The act has a number of provisions which specify under what circumstances cryptographic research may occur which relates to investigating the strength of copyright protections. The problem is that these are written in an ambiguous style which will put researchers at risk of violating the law. Prudent researchers who do not want to risk criminal prosecution will avoid work in this area.

The result will be that the only people working on breaking copyright protection will be criminals. Legitimate users will have no way of knowing whether the technology to which they are entrusting their secrets is working properly or not. That's the problem which researcher Bruce Schneier points out with regard to encryption: bad cryptography looks much the same as good cryptography. Only with expert analysis and challenge can we determine whether our algorithms are breakable. By driving the legitimate experts into other avenues of research, the DMCA will leave the field to those who care nothing about laws. To paraphrase another slogan, if you outlaw cryptographic research, only outlaws will do cryptographic research.

Let us look at the specific provisions of the DMCA which lead to this unfortunate result.

``(g) Encryption Research.--

``(1) Definitions.--For purposes of this subsection--

``(A) the term `encryption research' means

activities necessary to identify and analyze flaws and

vulnerabilities of encryption technologies applied to

copyrighted works, if these activities are conducted to

advance the state of knowledge in the field of

encryption technology or to assist in the development of

encryption products; and

``(B) the term `encryption technology' means the

scrambling and descrambling of information using

mathematical formulas or algorithms.
 

Here we see a problem which is symptomatic of this section of the Act.

We have an attempt to specifically define what encryption research is, so that it may be exempted. However the definition, although wordy, is far from clear. It relies on determining the purpose of the activities which are undertaken: are they intended to advance the state of knowledge, and/or to assist in developing encryption products. But it will be very difficult to prove what the purposes are of any particular instance of defeating copyright protection. A criminal may claim that he intended to disseminate his results, or a legitimate researcher who delays publication while he gathers more data may find himself accused of criminal actions.
 

``(2) Permissible acts of encryption research.--

Notwithstanding the provisions of subsection (a)(1)(A), it is

not a violation of that subsection for a person to circumvent a

technological measure as applied to a copy, phonorecord,

performance, or display of a published work in the course of an

act of good faith encryption research if--

``(A) the person lawfully obtained the encrypted

copy, phonorecord, performance, or display of the

published work;

``(B) such act is necessary to conduct such

encryption research;

``(C) the person made a good faith effort to obtain

authorization before the circumvention; and

``(D) such act does not constitute infringement

under this title or a violation of applicable law other

than this section, including section 1030 of title 18

and those provisions of title 18 amended by the Computer

Fraud and Abuse Act of 1986.
 

These provisions will impose a considerable burden on the researcher.

(A) requires him to retain documentation on all copyrighted material which he has in his possession in order to show that he obtained it lawfully. But this may not be at all reasonable, for if the material is encrypted it may be widely available for download. There is no technology available to prove that a given piece of data was freely available at some time in the past. This provision is going to be intolderably burdensome in many cases.

(B) has the problems listed above in interpreting what constitutes encryption research.

Provision (C) can only be described as bizarre. There is no requirement elsewhere in the exemptions to receive authorization from the copyright holder. Apparently, whether authorization is granted or not makes no difference, but nevertheless the researcher is required to seek authorization? This is completely illogical.

Furthermore, this provision will face many of the same documentation problems as section (A), as in many cases the copyright holder may not be known or reachable. What constitutes a good faith effort in that case? The researcher who fails to guess correctly on this point faces criminal prosecution.

(D) can only increase the uncertainty felt by a researcher considering entering this minefield.

The net result is that these provisions carve out an exception which is loaded with traps, where inadequate documentation can lead to criminal penalties, and where illogical actions are required for no purpose. This is sure to drive many qualified researchers from the field.

``(3) Factors in determining exemption.--In determining

whether a person qualifies for the exemption under paragraph

(2), the factors to be considered shall include--

``(A) whether the information derived from the

encryption research was disseminated, and if so, whether

it was disseminated in a manner reasonably calculated to

advance the state of knowledge or development of

encryption technology, versus whether it was

disseminated in a manner that facilitates infringement

under this title or a violation of applicable law other

than this section, including a violation of privacy or

breach of security;

``(B) whether the person is engaged in a legitimate

course of study, is employed, or is appropriately

trained or experienced, in the field of encryption

technology; and

``(C) whether the person provides the copyright

owner of the work to which the technological measure is

applied with notice of the findings and documentation of

the research, and the time when such notice is provided.
 

These provisions further increase the uncertainty and risks which will be faced by researchers. Not only his intentions are being judged, but the judgement criteria are left vague and menacing.

Under provision (A) he has to disseminate his results in an acceptable way. What does that mean? If he notifies his colleagues, which is a common practice in the research community, is he now open to prosecution? If some colleagues use the information irresponsibly, is the original researcher to be penalized? He faces a dilemma whether he publishes or keeps his results secret.

As for provision (B), are we now creating a de-facto classification of "licensed cryptographers" who are allowed to do cryptographic research? Imposing criminal penalties based on whether a judge views the researcher as having adequate training, experience, and employment is absurd without some kind of objective certification. This is a fast-moving field and many of the most creative results have come from individuals without formal training in cryptography (which is offered at very few institutions). I personally have nospecific training in the field other than a degree in computer science. Would this pass muster under this provision? There is no way to know.

Provision (C) is astonishingly vague. It seems to be trying to hint that a break should initially be reported only to the copyright holder, then later to the research community, and finally it can be made public. But for some reason the Act is not willing to say so plainly.

This provision is representative of the flaws in this entire section of the Act. It is legislation by innuendo, enforcement by intimidation. These requirements are not stated clearly, rather we have an ill defined set of guidelines which may be interpreted in any way desired by the judge. It is impossible to conduct research safely in such a regime.

In summary, the attempts by the DMCA to carve out an exception for legitimate cryptography researchers are seriously flawed. Anyone doing research in this area faces severe record-keeping burdens, and risks having their actions misconstrued. With criminal penalties as the result of anything determined to be a violation, it is likely that this Act will drive cryptographic researchers from the field.

The result will be a loss of confidence in cryptographic technology as users realize that the best and brightest researchers are no longer able to do research in this field. This will harm electronic commerce and damage American interests domestically and internationally. As currently written, it appears that the DMCA will have exactly the opposite effect from what was intended, in that it will reduce the protections to copyright holders and delay widespread electronic distribution of copyrighted material.

Thank you for your attention.
 

Hal Finney
Senior Software Engineer
Network Associates, Inc.
hal@finney.org

>The principal question is: "How will the provisions of section 1201(g)

>of the DMCA affect encryption research?"

...
And I am not going to address that question, as I think that the 9^th Amendment to the US Constitution precludes your regulations on encryption research regardless of whether or not lawyers want to dishonestly ignore it, along with judges, law professors, justices...

It's there, period. Wanna try and repeal it? Go ahead, but enough of the dishonest pretending it doesn't exist!

I will instead focus on the _actual_ meaning of the term "Escrow."

Escrow REQUIRES a NEUTRAL, THIRD PARTY, no matter what Newspeak spewing NSA lawyers might claim. If you want to have GAK (Government Access to Keys) then swallow the cowardice of the bureaucratic past and SAY that you want Government Access to Keys. Try honesty. The US government is rarely, if ever, able to make a convincing case that y'all are neutral (much less third) parties, especially in cases you'd want to assert it (probably more drug asset forfeiture than terrorism, since government agents are greedy, and don't want to get their asses shot off or blown up).

So, the bottom line is: go get a dictionary, look up the *TRUE* meaning of the term, and begin using it honestly for a change. I say "for a change" because of the bipartisan dishonesty that has spanned more than a decade of government criminality & moral turpitude. Honesty may cause you to "lose" on the issue of grabbing everyone's privacy, but that's because government DESERVES to lose, and freedom _deserves_ to win. This will lead to LESS, not more, violence in the future.

Thanks for listening. If you think I am wrong about ANYTHING I've written above, please tell me why.

JMR

Regards, James M. Ray <jray@digigold.net> or <jray@e-gold.com>

"In 1972, when Richard Nixon declared a war on drugs, the annual federal budget for the war was around $101 million. Next year, it will be $17.8 billion." -- Joseph D. McNamara, former police chief of both Kansas City, MO, and San Jose, CA.

My PGPkey is at: http://www.TraderJim.net

The Software & Information Industry Association (SIIA) is the principal trade association of the software and information industry and represents over 1,400 high-tech companies that develop and market software and electronic content for business, education, consumers, the Internet, and entertainment. SIIA members represent a wide range of business interests. In particular, numerous SIIA members create and develop new and valuable encryption technologies, use encryption technologies to protect their proprietary content, and purchase or license software and information products and other content and services that utilize encryption technologies. Consequently, SIIA and many of our members are extremely interested in issues relating to the protection and use of encryption technologies and the relationship between research and development activities relating to encryption and the provisions in the Digital Millennium Copyright Act (DMCA) prohibiting the circumvention of technological protection measures such as encryption.
 

In response to the "Request for Comments on Section 1201(g) of the Digital Millenium Copyright Act" published in the Federal Register of May 27, 1999 by the National Telecommunications and Information Administration (NTIA) and the Copyright Office, SIIA files the following comments on behalf of its members.
 

The notion of trust in electronic commerce is of critical importance and applies to both consumers and businesses. From securing sales to the handling of personal data to certifying transactions and individuals, trust is the underlying issue that will determine whether electronic commerce reaches its full potential. That trust must be instilled first in intellectual property owners. If these rights holders are expected to make their proprietary content available over the Internet, one must recognize the risks associated with placing their property in an environment where it could be stolen, and an infinite number of exact copies can be distributed worldwide. Therefore, if electronic commerce is going to thrive, rights holders must be able to trust that their proprietary digital content will be safe and secure in the network environment. In the long run, this trust will benefit consumers, who will have more products to choose from, and the added convenience and flexibility of access through electronic licensing.
 

One way a sense of trust can be established in the e-commerce environment is through the use of technological protection measures. SIIA firmly believes that through the deployment of market-developed technological measures, many of the concerns of both the copyright owner and user communities can be most effectively addressed.
 

Perhaps the most promising technological protection measure is encryption technology. Encryption technology allows the users of such technologies to control access to their proprietary materials. While encryption technology--like any other technological solution--will prevent a certain amount of piracy, it is not 100% effective. Because piracy tools that circumvent and disable encryption technologies and other technological measures are widely available, mere use of technological protection measures is not a complete solution.
 

Another significant part of the solution is the enactment of appropriate legal protections that encourage rights holders to make their proprietary materials accessible online and adequately punishes those who run afoul of these protections. To restore the balance upset by piracy tools, the legal protections afforded to rights holders must provide effective legal remedies against unauthorized circumvention of technical protection measures. More significantly, legal protections must also prohibit the trafficking in tools that permit such circumvention. With passage of the DMCA last October copyright owners now have (or, in the case of the conduct prohibitions, will have) these remedies at their disposal in the United States.
 

Section 1201(a) of the DMCA prohibits both the act of circumventing technological protection measures to gain unauthorized access to copyrighted works and the trafficking in any anticircumvention tools that permit unauthorized access. The prohibition against trafficking, which became effective immediately upon enactment of the DMCA, applies to those technologies, products, services, devices, or components that: (1) are primarily designed or produced for circumvention purposes, (2) have only limited commercially significant purpose or use other than to circumvent, or (3) are marketed with the knowledge that they will be used for circumvention purposes.
 

The prohibition against the act of circumvention prohibits such acts as the use of a bootleg password or "crackz" application to gain unauthorized access to a pirate copy of computer software. Unlike the prohibition against trafficking in anticircumvention tools, however, the prohibition against acts of circumvention will not become effective until October 28, 2000. Nevertheless, the combined force of the availability of encryption technologies and the prohibitions in the DMCA that protect against acts of circumvention and trafficking in circumvention tools, likely will reduce fears of rampant downstream piracy sufficiently to encourage rights holders to make their works available to others online.
 

The anticircumvention prohibitions are not without their limitations. Notably, section 1201(g) of the DMCA provides an exception to the prohibitions against circumvention of technological protection measures contained in Section 1201(a) of the DMCA. This exception permits a person to circumvent encryption implemented as a technological measure to a published work in the course of good faith encryption research when certain conditions are met.
 

Section 1201(g)(5) of the DMCA requires the Register of Copyrights and the Assistant Secretary for Communications and Information of the Department of Commerce to jointly report to Congress on the impact that subsection 1201(g) of the DMCA has had on encryption research by no later than October 28, 1999. In particular, the DMCA requires that this report inform Congress on the effect that section 1201(g) has had on: (1) encryption research and the development of encryption technology; (2) the adequacy and effectiveness of technological measures designed to protect copyrighted works; and (3) protection of copyright owners against the unauthorized access to their encrypted copyrighted works.
 

To date, section 1201(g) has had no discernable effect on encryption research, the development of encryption technology, the adequacy and effectiveness of technological measures designed to protect copyrighted works, or the protection of copyright owners against the unauthorized access to their encrypted copyrighted works. Only nine months have passed since the anticircumvention trafficking prohibitions in Section 1201(a)(2) of the DMCA became effective. While technology progresses and digital distribution practices change at an extraordinary rapid pace in the digital age, we have seen no change in the market for encryption technologies or the products and services that use such technologies during this time that would warrant a change to section 1201(g).
 

SIIA believes that the exceptions in section 1201(g) are narrowly crafted and well balanced. The statutory language contained in the good faith encryption research exception was arrived only after extensive negotiation, debate, and consultations between the interested parties and various officials in the executive and legislative branches of the government. We therefore advise against any alteration of section 1201(g), as doing so would upset the delicate balance the parties were able to achieve last year.
 

Further, as noted above, the prohibitions against conduct in section 1201(a)(1) have not yet gone into effect. This is particularly significant given that the exception in section 1201(g)(2) applies only to the conduct prohibitions in section 1201(a)(1). Because the conduct prohibition has not gone into effect, the exceptions in 1201(g)(2) have been of no consequence. Therefore, the exceptions in section 1201(g)(2) have had no impact whatsoever on encryption research and development or the use of technological measures.
 

Unlike the encryption research exception contained in section 1201(g)(2), the encryption exception contained in section 1201(g)(4), which applies to the prohibition against trafficking in circumvention tools, has been in effect the past nine months. As stated earlier, we also have seen no evidence that this exception has had any impact on any of the three factors that the Copyright Office and NTIA are required to report to Congress.
 

For the aforementioned reasons, SIIA and its members believe that section 1201(g) should not be altered. We are aware of no evidence that section 1201(g) of the DMCA has impacted encryption research or the development of encryption technology. Nor does there appear to be any evidence that section 1201(g) has any impact on the adequacy and effectiveness of technological measures designed to protect copyrighted works or the protection of copyright owners against the unauthorized access to their encrypted copyrighted works.
 

Thank you for this opportunity to comment.

July 26, 1999
 

Paula J. Bruening, Esq.

Office of Chief Counsel

National Telecommunications

and Information Administration

Room 4713

US Department of Commerce

14 Street and Constitution Avenue NW

Washington, DC 20230
 

Jesse M. Feder

Office of Policy and International Affairs

US Copyright Office

Copyright GC/I & R

P.O. Box 70400

Southwest Station

Washington, DC 20024
 

Re: Section 1201 (g) of the Digital Millenium Copyright Act

(Docket No. 990428110-9110-01)
 

Dear Ms. Bruening and Mr. Feder,
 

I am grateful for the opportunity of submitting comments on behalf of Time Warner Inc. in response to the request for comments announced in the Federal Register Volume 64 No. 102.
 

Time Warner Inc is, as you know, one of the leading companies engaged in the production and distribution of copyrighted works including motion pictures and phonorecords. As such, it is vitally interested in adequate and effective protection of copyrights. In that connection, Time Warner devotes significant resources to fighting unauthorized uses of its copyrighted works in the United States and abroad.
 

Time Warner employs encryption technology in order to protect its audiovisual products from unauthorized uses and devotes significant resources to the development and implementation of protective technologies for its audio and audiovisual works. The Request for Comments seeks information with respect to, inter alia, the effects of Section 1201 (g) of the Digital Millenium Copyright Act on "protection of copyright owners against unauthorized access to their encrypted copyrighted works."
 

Section 1201 (g) which is headed "Permissible Acts of Encryption Research" provides that it is not a violation of Section 1201 (a) (1) (A) (which prohibits circumvention of technological measures that control access to protected works) for a person to circumvent a technological measure "in the course of an act of good faith encryption research" if certain criteria are met.
 

Among the criteria are (i) that such act is necessary to conduct such encryption research (Section 1201 (g) (2) (B)) and (ii) the researcher made a good faith effort to obtain authorization before the circumvention (Section 1201 (g) (2) (C)).
 

These provisions have the laudable purpose of supporting research into encryption and thus encouraging discovery of weaknesses in encryption systems that would render them ineffective as protectors of copyright. There are, however, threats to copyright protection that are apparent on the face of the provisions in question.
 

It is far too early (less than nine months after passage of the Digital Millenium Copyright Act) to have accumulated any hard evidence of the impact of Section 1201 (g) on protection of copyrights. Nevertheless, there has been sufficient history both prior to and since passage of the Act to warrant expressing a few cautions and some suggestions in connection therewith about the serious impact on copyright owners of misuse of "research" that could be encouraged by Section 1201 (g).
 

Where a copyright protection technology has been overcome, i.e. the encryption code broken, the "research" that led to that was not done by the iconic individual in his/her garage but, rather, by groups of persons having access to large computers in business or academic locations. Such research, more often than not, was not at the request or with the authorization of the owner of the encryption system or an authorized user thereof, and the motives for undertaking such "research" varied from scientific to pernicious.
 

Whatever the motives, because the "research" is not conducted by an isolated individual, word quickly gets around about how to break a particular encryption system.
 

When so-called "pirate smart cards" or similar devices are marketed, the advertising for them typically includes a disclaimer "for research only" - with much the same veracity as radar detectors for automobiles are advertised as "not intended to encourage speeding."
 

What is needed in order to protect against "research" that has these damaging results are measures to assure that those who do the research are doing so for legitimate reasons and meet the criteria set forth in Section 1201 (g) (2) (A) -(D). Some factors to be used in determining whether a person qualifies for the exemption are set forth in Section 1201 (g) (3) but there are a few serious weaknesses in the regime so established which should be dealt with by an amendment or clarified by regulation.
 

Perhaps the most important requirement as a basis for exemption is that the person doing the research do so with actual written authorization of the owner of the encryption system. There is no reason to suppose that owners of encryption systems would be unwilling to authorize legitimate researchers to test for weaknesses in the encryption systems. Leaving the criterion, however, at merely making "a good faith effort to obtain authorization" (Section 1201 (a) (2) (C)) could allow for illy motivated "researchers" to meet this qualification by sending off (or even claiming to send off) a letter, a fax or an e-mail which does not reach its destination. On the other side of this coin, such a requirement would impose on the owner of the encryption system a burden of attending to its mail, fax and e-mail communications with more speed than it may be able to muster.
 

Secondly, in this same context, the statute does not tell us what happens if a researcher does make "a good faith effort to obtain authorization" and the owner of the technology turns down the request. As suggested above, many of these problems could be resolved if actual written authorization were required.
 

Among the safeguards that would flow from a requirement for actual written authorization is the possibility that the owner of the technology might require, as a condition of granting authorization, that the researcher agree not to disclose any facts about the technology or about the results of the research. In the absence of such a non-disclosure agreement, the ability to break an encryption system becomes, as suggested above, widely known. Such a non-disclosure provision should be considered a reasonable condition of a grant of authorization.
 

Thank you for your consideration of these comments. My colleagues and I at Time Warner Inc. would be happy to meet with you to discuss these issues at your convenience.
 

Respectfully yours,
 

Bernard R. Sorkin

Senior Counsel

Paula J. Bruening

Office of Chief Counsel

National Telecommunications and

Information Administration

Room 4713

U.S. Department of Commerce

14th and Constitution Avenue, N.W.

Washington, D.C. 20230
 

Jesse M. Feder

Office of Policy and International Affairs

U.S. Copyright Office

Copyright GC/I&R

P.O. Box 70400, Southwest Station

Washington, D.C. 20024
 

Re: Request for Comments on Section 1201(g) of the Digital Millennium Copyright Act, Docket No. 990428110-9110-01
 

Dear Ms. Bruening & Mr. Feder:
 

As professionals working in data security and encryption, we wish to comment on the "expert exception" of the Digital Millennium Copyright Act. In general, we believe that the DMCA together with the "expert exception" will be very detrimental to the general interests of the American public, individuals and businesses alike. Specifically, as an integral part of the DMCA, we feel the "expert exception" will not provide assistance in combating illegal copying and other breaks, but instead will act as a shield for inappropriate and bad security and actually promote undesired exploits.
 

The expert exception allows for professionals, academics, and licensees with consent of the content owners to analyze the cryptography of the products or technology. Others are restricted from doing so, except under a small set of conditions. Further, the dissemination of any information regarding weaknesses of a system is restricted to the same group of interested parties. While well intended, there are troubling aspects to this: Without broadening this exception, the likely consequence will be a weakening of the overall strength and quality of the products that are brought to market. The licensees of technology will be less certain of the consequence of using that technology and put at far more jeopardy than before the act with the "exception" were made into law. The reliance on consent as a requirement for licensees to examine technology is unreliable and inappropriate when considered for cryptographic examination and testing. These points are examined immediately below.
 

First, regarding who can challenge. It is in everyone's interest to examine cryptographic and security systems as widely as possible. Any problems with a system will be found eventually. It is simple, better sooner than later. It is simply necessary to provide a wide opportunity of analysis to the whole community of computer professionals, content providers, prospective licensees and others just to gain satisfaction about the relative protection of systems used by users. After all, the protection of all parties involved is what is at stake here. Cryptography used in a system should be thoroughly examined for the same reason cars go through crashing tests, with results available to the consumers. Cryptography is no longer a research topic, it is rather a technology used in a wide variety of commercial systems. The overall protection that a licensee can expect from a vendor cannot be evaluated always from a single work or even a selected body of works that they have access to. Instead, the strength of the cryptography and security will be from the entire body of materials and technology suites that use the technology. Giving the right to challenge to a small number of testers on a selected amount of material may not provide enough exposure to all the potential problems to provide confidence to any of the parties.
 

The security industry as a whole condemns "security through obscurity" as ineffective. Obscurity in a system is ultimately analyzed and the problems with it seen. What was obscure, if important becomes widely analyzed and quite open. The security of a system is as good as the number of qualified and interested people who have examined the system. The crux of the matter is "against whom are you protecting?" Bad guys will examine it no matter what. You just can't stop it. It is far better to all the interested parties to allow everyone to look at cryptography right off the bat. The real protection of intellectual property comes from the copyright law, rather than from the encryption that prevents its easy copying; the quality of the encryption must stand on its own regardless of who is trying to break it. Real security is built on technology that works, regardless of who knows about it. Content owners must understand level of security that technology provides. All content providers simply cannot employ enough security professionals to analyze and attack copyright encryption schemes (especially small ones!). It is impossible for them to examine all the potential uses of systems and applications that might expose any problems. There must be a recognition that the open analysis and sharing of information in the broad commercial and academic communities is necessary to protect all parties interests in matters related to copyrighted material.
 

There is a saying in the industry, "no security is better than weak security". Weak security has a number of bad consequences. It provides essentially no protection, it introduces cost for consumer and producer, and it hides problems. With the new act and the restrictions of the "exception", this latter problem becomes enormous. In fact, claiming to have security without doing the required due diligence can be easily positioned as "deception" from the consumer standpoint and could be litigated as knowingly marketing and selling products without doing the best to ensure proper functionality. Providing any statement to consumers regarding the functionality of the product is not valid without proper examination, publicly.
 

The exception attempts to restrict the actual testing to parties that have connections to the technology in question. Besides professionals and academics, these are direct licensees of the technology, and then only if they have the consent of the relevant copyright holder. This is simply not the way technology is tested and evaluated these days for licensing or adoption. Especially in the case of communications systems, openness is crucial. A vendor's choice of encryption technology actually affects the entire industry. The failure of even one vendor to establish and choose the appropriate encryption technology can have wide spread effects on the entire industry. It is no longer the case that commercial interests are served directly by academic pursuits. A viable technology needs to be tested and serviced by the actual community of users. This restriction is just setting up for an enormous failure.
 

There is a false belief that "cryptography" lives in a vacuum. Like many parts of technology, cryptography is utilized as a component in increasingly complex systems. Encryption is now a basic component of many operating systems, hardware platforms, and application software. It is not only the security expert but also computer system engineers and quality engineers who need to certify and examine the technology. As such, testing the entire system must include certain tests of the correctness and robustness of the encryption subsystem. With this exception as written, such tests may actually be in violation of the proposed law. This merging of unencrypted and encrypted data is probably going to be the most significant change to the nature of systems over the next few years. The discipline of maintaining an environment that can actually be trusted is a requirement for the U.S. industry to lead as it has.
 

The question even arises as to who this exception will actually benefit. It seems obvious that most interested parties benefit more from a wider body of testers than the exception allows. Potential licensees of a technology need to know whether they can trust the security of the system or not. It is a huge undertaking to decide on and implement a technological solution. If they can't submit it to arbitrary tests, they can't make an intelligent decision. Take a silly case, where all data of a product is encrypted with a minimal key, say 1 byte. But the producer may represent it as secure. According to this act, anyone who intentionally tested the security if not for research or directly established commercial interested would be in violation. But, any attacker would go after the key and it would happen rapidly using available cryptanalysis tools. The protection in that environment is afforded to the attackers rather than the content producers or the licensees of the technology. The licensee and original technology providers are both losers. Consumers lose when technology is unavailable or flawed. Only competitors or hackers seem to be victorious.
 

In conclusion, though there is no question that the issue of copyright protection is a serious one that needs significant legislative attention, the "expert exception" hurts the overall effort of development and protection of intellectual property. As computer security and cryptography specialists we encourage a much more open and realistic approach to the problem. Ultimately, the protection of any data will depend on the overall strength of the cryptography and systems that implement the security. This should be acknowledge with an "exception" that encourages as much testing and overall cooperative development of technology as possible. Weak cryptography will always be broken. It is better to focus on the illegal use of content and corresponding enforcement rather than to limit activities that promote cryptography and technology that actually work.

Thank you very much for giving us this opportunity to comment.
 

Sincerely,
 

Taher Elgamal
President
Kroll O'Gara Information Security Group
 

Dan Kolkowitz
Vice President
Kroll O'Gara Information Security Group
 

Mark Chen
Chief Cryptographer/CTO
Kroll O'Gara Information Security Group

-----------------------------------------------------x

In the Matter of :

:

: Docket No. 990428110-9110-01

Effects of the Digital Millennium : RIN 0660-ZA09

Copyright Act on Encryption Research and :

Development of Encryption Technology :

-----------------------------------------------------x
 
 

Smosenkis@ascap.com