The O’Reilly Security Podcast: The chilling effects of DRM, nascent pro-security industries, and the narrative power of machines.In this episode, I talk with Cory Doctorow, a journalist, activist, and science fiction writer.
We discuss the EFF lawsuit against the U.S. government, the prospect for a whole new industry of pro-security businesses, and the new W3C DRM specification.Here are some highlights from our discussion around DRM:
How to sue the government: Taking on the DCMA
We [Electronic Frontier Foundation] are representing [Bunny Huang and Matthew Green] in a case that challenges the constitutionality of Section 1201 of the DMCA. The DMCA is this notoriously complicated copyright law, the Digital Millennium Copyright Act, that was brought in in 1998. Section 1201 is the part that relates to bypassing digital rights management (DRM), or digital restrictions management as some people call it. The law says that it’s against the rules to bypass this, even for lawful purposes, and that it imposes very severe civil and criminal penalties. There’s a $500,000 fine and a five-year prison sentence for a first offense provided for in the statute. The law’s been on the books, obviously, for a very long time—since 1998. Given that all digital technology works by making copies, it’s hard to imagine a digital technology that can’t be used to infringe copyright; no digital technology would be legal.
Recent changes add urgency
A couple things changed in the last decade. The first is that the kinds of technologies that have access controls for copyrighted works have gone from these narrow slices (consoles and DVD players) to everything (the car in your driveway). If it has an operating system or a networking stack, it has a copyrighted work in it. Software is copyrightable, and everything has software. Therefore, manufacturers can invoke the DMCA to defend anything they’ve stuck a thin scrim of DRM around, and that defense includes the ability to prevent people from making parts. All they need to do is add a little integrity check, like the ones that have been in printers for forever, that asks, "Is this part an original manufacturer’s part, or is it a third-party part?" Original manufacturer’s parts get used; third-party parts get refused. Because that check restricts access to a copyrighted work, bypassing it is potentially a felony. Car manufacturers use it to lock you into buying original parts.
This is a live issue in a lot of domains. It’s in insulin pumps, it’s in voting machines, it’s in tractors. John Deere locks up the farm data that you generate when you drive your tractor around. If you want to use that data to find out about your soil density and automate your seed broadcasting, you have to buy that data back from John Deere in a bundle with seed from big agribusiness consortia like Monsanto, who license the data from Deere. This metastatic growth is another big change. It’s become really urgent to act now because, in addition to this consumer rights dimension, your ability to add things to your device, take it for independent service, add features, and reconfigure it are all subject to approval from manufacturers.
How this impacts security
All of this has become a no-go zone for security researchers. In the last summer, the Copyright Office entertained petitions for people who have been impacted by Section 1201 of the DMCA. Several security researchers filed a brief saying they had discovered grave defects in products as varied as voting machines, insulin pumps and cars, and they were told by their counsel that they couldn’t disclose because, in so doing, they would reveal information that might help someone bypass DRM, and thus would face felony prosecution and civil lawsuits.
When copyright overrides the First Amendment
There are some obvious problems with copyright and free speech. Copyright is a government monopoly over who can use certain combinations of words or pictures, or convey certain messages in specific language, all of which seems to conflict with First Amendment rights. In both the Eldred and Golan cases, the Supreme Court said the reason copyright is constitutional, the reason the First Amendment doesn’t trump copyright, is that copyright has these escape valves. One is fair use. The other is what’s called the traditional contours of copyright, which determine what is and isn’t copyrightable (i.e., copyright only covers expressions and not ideas, copyright doesn’t cover non-creative works, and so on). But the DRM situation is urgent. Because DRM can be used to restrict fair use, because it can trump the traditional contours, and because it has criminal penalties, we were able to bring a challenge against it. When there are criminal penalties, you don’t have to wait for someone to sue you. You can sue the government.
EFF is suing the US government to invalidate the DMCA’s DRM provisions (BoingBoing)
America’s broken digital copyright law is about to be challenged in court (The Guardian)
1201 complaint in full