Legal Restrictions on Cryptography

The U.S. government has placed two major restrictions on the use of cryptography in the United States of America:

  • U.S Patents: The U.S. Patent and Trademark Office is increasingly being attacked for granting patents for products that are apparently not new. All the public key cryptography patents are now exclusively licensed to Public Key Partners (PKP). The penalties for patent infringement are the jurisdiction of civil courts. Most software programs such as Lotus Notes and many other Microsoft Windows programs come with a license for the RSA and Stanford public key encryption patents. The RSA algorithm was published even before its inventors filed for a patent; as a result, Japan and countries in Europe have been able to use most kinds of encryption without the trouble of negotiating licenses for patents from RSA or PKP.
  • Export controls:You should not think about sending a copy of PGP to your friends who live outside the United States so that you can communicate with them without interception by the authorities. Doing so can make you subject to a heavy fine, or jail, or both. Export of cryptographic material is governed by Defense Trade Regulations (formerly known as International Traffic in Arms Regulation or ITAR). A program that implements encryption can be exported only after obtaining a license from the office of Defense Trade Controls (DTC). Before providing such a license, DTC—together with National Security Agency (NSA)—will evaluate the program. Part of the evaluation includes the determination of the encryption scheme. Generally, if a weak encryption is implemented, the export is allowed; otherwise, the request is denied. In 1992, an agreement was reached between the State Department and the Software Publishers Association (SPA) to allow the export of programs that implement RSA Data Security’s RC2 and RC4 algorithm with a key size of 40 bits or less. Canada is a special case in the laws of exportation for cryptographic material. Canada has a liberal policy and allows any cryptographic software made in Canada to be exported without licensing. Current U.S. policy allows any cryptographic software to be exported to Canada without any license. However, as per Canada’s Rule #500, software cannot be further exported to a third country. Because of these strict requirements in U.S. policy, many companies are developing their software overseas and then importing it into the United States. An alternative to obtaining the privacy you need and avoiding the hassles of getting a license is to use PGP version 2.6, which is available easily in the United States, to communicate with PCP 2.6ui, which is available easily outside the United States.

Summary

Cryptography and encryption has long been the domain of government organizations and big businesses. The explosion in the use of computers, the Internet, and public key cryptography has made it possible for individuals to protect their data using a variety of encryption techniques. This chapter discussed the various strategies used by encryption algorithms and the most common methods an experienced hacker may use to break into the code and decipher the message. Several commercially available products (such as PGP for Personal Privacy and the Norton Your Eyes Only) can be used to encrypt your messages. Various types of security are provided in Internet browsers such as Netscape Navigator and Microsoft Internet Explorer. We analysed some commonly used techniques such as substitution; permutation, XOR, and other cryptographic functions were also discussed. No matter which technique you use, keep in mind that a desperate hacker can always decipher the message. You should take necessary precautions to protect your data. Those precautions range from proper choice of pass phrases to physically protecting your assets and yourself.

Software that might be useful:

  • OpenSSL
  • PGP
  • GnuPGP

Who is Dmitry Skylarov?

Still on bail for crimes against the United States Digital Millennium Copyright Act, Skylarov’ real crime was pointing out that Adobe’ ‘professional’ encrypted ebook format used an algorithm so simple that it was child’ play to decrypt it. Software using his decryption algorithm went on sale in Russia (not subject to the DMCA, and incidentally, a country which is strongly against encryption tools) and so when he went to the US to give a talk on encryption/decryption, he was immediately arrested. He now faces a huge fine ($2 Million) and a ridiculous prison sentence (25 years is the maximum) for writing some code, which broke no laws in his country. If you would like to find out more, and help the campaign for his freedom, visit the homepage of the Electronic Frontier Foundation at www.eff.org

What on earth is The DMCA?

What does DMCA stand for?

DMCA is the commonly used acronym of the Digital Millennium Copyright Act, which was originally known as Congressional Bill HR 2180. The act was passed as law in the USA in 2000. It’s a law, in other words, governing copyright.

So what’s the problem with that? There are plenty of laws governing copyright.

The DMCA has a number of provisions that are alarmingly different from previous copyright laws. In addition to extending the period of coverage of copyright to 70 years, the DMCA makes it an offence to try to crack any copy-prevention mechanism applied to a copyrighted work. It also institutes serious criminal sentences for violations (copy a DVD: risk going to prison for five years). Most seriously, it ignores some older rights, which under common law were possessed by copyright licensees – the people who bought a book, record a video, or whatever.

So have Americans lost any of their rights?

I should say so. One of the rights Americans have lost is the right to make backups for personal use (either for time-shifted reproduction of a film or record, or for safety’s sake in a computer program). If it involves breaking a copy protection (more accurately, a copy prevention) mechanism, it’s illegal – regardless of whether the mechanism merely enforces the letter of the copyrigh law, or goes much further (for example, by preventing you from reading an ebook until you’ve filled out a web form disclosing personal information to the vendor). Another right they’ve lost is the right to quote from a copyrighted item. Previously, under the doctrine of ‘fair use’ it was legal to quote snippets from copyrighted work (or sample a few chords from a musical composition) for your own use, to quote a few paragraphs in a book review, or to photocopy a small extract from a book for use in course notes in a classroom, for example. That right has been written out of the DMCA. It has not been explicitly withdrawn, but it has effectively been overruled by new, more draconian restrictions on copying that make no provision for fair use.

Where did the DMCA come from?

In the beginning, copyright protection in the United States only lasted 14 years, plus one optional 14-year renewal. This has been increased over the past 50 years. Big companies, such as the Disney Corporation, have lobbied for this to hang on to their intellectual property. It became obvious in the 1980s that copyrighted material – ‘intellectual property’ – was going to be the big money tree of the 21st century, so large media conglomerates decided to protect their revenue stream. Lobbying individual governments wasn’t going to deal with the problem of countries such as China that didn’t accept copyright law, so they began lobbying the World Trade Organisation (the body behind the GATT treaty on free trade) for international copyright agreements that would give them a stranglehold on music, film, video, book, and other forms of intellectual property.

Have any similar laws been introduced in America?

The DMCA is one of two laws that came out of the World International Property Organisation Copyright treaties, which were put in place in the early 1990s. The other is the Database Investment and Intellectual Property Antipiracy Act (1996), which make it an offence to copy the structure of a database, even if the information contained in it is publicly available.

It’s an American law, right – why should it worry me?

Two reasons. Firstly, in July this year the European Commission passed a directive on copyright, the European Union Copyright Directive. The EUCD is frighteningly similar to the DMCA in scope, and because the EC has passed it, our own government will be enacting it in UK law in the next year or so. Guess what – it, too, makes it an offence to reverse-engineer access to files controlled by copy protection mechanisms.

Secondly, look at Dmitry Sklyarov as an object lesson. If the EUCD goes through, we can expect to see draconian prison sentences for trivial crimes – five years for a copyright violation is roughly the same sentence a mugger or hardened burglar could expect – and we can also expect to lose control over our ability to play music and watching films or videos without paying for the privilege every single time.

Final tought about the DMCA

Copyright has always been intended as a balancing act between the rights of authors/publishers and the rights of consumers. Technical advances are making it possible for publishers to take away technically what they would have a hard time justifying legally or morally. And unfortunately, in a misguided attempt to address copyright issues in the digital age, the U.S. government has given legal backing to the technical means through the DMCA, outlawing attempts at circumventing these technical protections. In effect, this gives publishers full and complete control over copyright issues, without the annoyance of actually having to go through the usual legislative debate and judicial review. As a shock to no one, the publishing industry (particularly the MPAA and RIAA) have used the DMCA as a bludgeon to attack anyone who suggests that consumers and citizens have rights too.

The history of copyright

The history of copyright has been written many times, but a good, brief account is available from the Association of Research Libraries. For the past several centuries, copyright law has tried to balance the rights of consumers with incentives to authors and publishers for promoting their work. It is quite explicit in the intent of copyright that in the sale of a copyrighted work, “once purchased the copyright owner does not control the use of the work”. Lawrence Lessig, a Stanford law professor and expert on these issues, echoed this observation in an interview when he pointed out that “The traditional idea of fair use - and the law has been extremely vague in defining this - is that the copyright owners do not have the right to perfectly control how you use their copyrighted material”.

However, the situation today with the DMCA is precisely the opposite of this intent: the use of the DMCA often does not have to do with limiting copying or distribution, but rather with restricting the use of the copyrighted work. The violation of this intent was described, among many other places, in quote taken from a New York Times article in which they wrote “In the past, when a company published a book, the fair use rights of readers limited its control over the work. But if the same company issues a book today and encrypts it, its control over readers is far greater — in fact, almost unlimited — unless there is a right of access to the material.”

The DeCSS case is a particularly flagrant example of this: the DeCSS code does not have any effect on DVD pirates, who can simply copy a full disk as-is. The entire purpose of using CSS by DVD publishers seems to be to restrict how the material is used! The purpose of DeCSS was to allow legitimately purchased DVDs to be played on Linux, a system that at the time did not support DVD playback. It is abundantly clear that this is 100% OK with respect to copyright; however, it violates the DMCA, since the *use* of the material is in a manner inconsistent with what the publisher desired.

The erosion of the reader’s/listener’s rights has been a steady process for many, many years. The limited time granted for copyrights has been repeatedly lengthened, and now is a totally preposterous 70 years past the death of the author. While the “limited time” is no longer terribly limited, the introduction of the DMCA goes even farther in this extreme by allowing publishers to have an infinite-time monopoly on a work: they can simply put technological protection measures on a work, and the DMCA makes removing those measures a crime even when the work is no longer covered by copyright!

One of the big successes of publishers such as the RIAA and MPAA has been a steady erosion and public brain-washing regarding the point of copyright. A simple but effective measure has been the modification of terminology that is used for copyright violations: they speak of people “stealing intellectual property” or “theft of copyrighted music” in the trading of MP3s. The wide-scale copying ala Napster clearly is copyright violation, but “theft”? The definition of something being “stolen” means that it is taken from the rightful owner - and the owner no longer has possession of that item. As

Jefferson observed several centuries ago, this simply doesn’t apply to the types of material that are copyrighted. Making a copy of an item doesn’t in any way remove that item from the original possessor, so “theft” is clearly an inaccurate terminology. However, the publishers’ insistence on using that word, and the public’s acceptance of it, means that a much more negative light is cast on an action that, while wrong, is nowhere near the severity of a true “theft.”

The use of terms “theft” and “intellectual property” cleverly casts copyright issues as being “property” issues, although Jefferson and other founding fathers explicitly did not accept the idea of writings as property. Remember: just because the publishers want you to think of recordings and music as property does not make it so!

One quote from Vaidhyanathan, talking directly about the DMCA:

This law has one major provision that upends more than 200 years of democratic copyright law. It forbids the “cracking” of electronic gates that protect works - even those portions of works that might be in the public domain or subject to fair use. It puts the power to regulate copying in the hands of engineers and the companies that employ them.

The last sentence is vital: the regulatory role regarding copyright has now been fully turned over to the publishers and technology producers. Congress has explicitly written itself out of the loop on such regulatory issues, and has thrown the balance between publishers and citizens entirely to the control of the publishers. The citizens have lost their voice in these matters, and unless Congress acts to drastically change the DMCA and reassert the consumer side of the balance, we simply will have no say in what rights the publishers deign to allow us to have.

Current DMCA cases

The DMCA has been used in a reprehensible fashion in at least 3 cases: the DeCSS case, the case of Edward Felton, and the case of Dmitri Sklyarov. The DeCSS case was mentioned above, where the MPAA used the DMCA as a weapon to attack a tool whose primary use is to make legal use of legally obtained material (DVDs). However, since the particular use is not sanctioned by the MPAA, they used the DMCA to criminalize what would otherwise have been a perfectly legal use.

Increasing the level of appalling behavior, the SDMI Foundation threatened to sue Professor Edward Felton for disclosing an attack on several of the SDMI audio watermarking technologies, even though the attacks were performed at the specific invitation of the SDMI Foundation! By participating in the SDMI challenge, and rejecting any claims to the cash prizes offered, the challenge announcement clearly allowed Felton to retain rights to publish details of his work. In the DeCSS case, Judge Kaplan decided that DeCSS could be suppressed, despite first amendment concerns, because computer code was not allowed the same rights as English prose. This seems to contradict the decision in the ernstein case that source code is protected speech, but this is just one of the many decisions Kaplan made in this case that were very poorly thought-out. Kaplan decided that code wasn’t protected speech, so Felton’s paper carefully avoided including any code, and stuck to straight English descriptions. Even so, the SDMI Foundation, in its initial threats to sue Felton and his research group, was somehow trying to make the argument that English descriptions are no longer protected speech. This is clearly absurd, and the RIAA and SDMI Foundation have apparently understood this and backed off in their initial threats, now going so far as to claim they never intended to sue. However, their actions with Professor Felton are clearly at odds with their later revised history of events.

Finally, the case of Dmitri Sklyrov is perhaps the most appalling of all. Among its other problems, the DMCA has taken what has traditionally been a civil matter (copyright issues) and criminalized certain actions. Dmitri Sklyrov wrote a program that removes protections from Adobe e-books, restoring traditional fair-use rights to e-book owners. Furthermore, he wrote this program in Russia, where it is not illegal. His company (and I don’t believe there are any claims that he did this personally) Distributed his unlocking software from a U.S. website, and on the basis of this Sklyrov was arrested when he made a trip to the U.S. Sklyrov has actually spent time in jail on these extremely flimsy grounds, and faces a criminal prosecution in the matter. Despite the fact that Adobe has subsequently said it doesn’t wish for Sklyarov to be prosecuted, the government is continuing in its case. This is apparently the reward that the government gives for people who stand up for their fair use rights under copyright law.

Usefull links

http://www.gnupg.org
http://www.openssl.org
http://www.rsa.com/rsalabs/rsaalgorithm/
http://www.itl.nist.gov/fipspubs/fip186.htm
http://www.rfc-editor.org
http://www.eff.org
http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
http://csrc.nist.gov/encryption/aes/
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
http://www.linuxsecurity.com

Tags: , ,

3 Responses to “Encryption: part 2 of 2”

  1. Very nice post.. Greetings from the Speedy DNS

  2. akcijazr says:

    I would like to exchange links with your site http://www.cpp-home.com
    Is this possible?

  3. admin says:

    Hello, akcijazr! Unfortunately, not at this moment.

Leave a Reply

You must be logged in to post a comment.