[IETF-IDRM] [IDRM] Fwd: IETF debates lawsuit risks of U.S. copyright act

Mon, 17 Dec 2001 10:11:05 -0800

IETF debates lawsuit risks of U.S. copyright act

By Carolyn Duffy Marsan
Network World Fusion, 12/13/01

The Internet's premier standards-setting body is concerned that its
participants could be subject to criminal or civil lawsuits under the U.S.
Digital Millennium Copyright Act as they develop security protocols that can
be used to protect copyrighted materials on the `Net. 

Although the risk is slim, the Internet Engineering Task Force (IETF) will
discuss the issue at an open mike session being held in Salt Lake City
Thursday night. 

The IETF's leadership became aware of the DMCA threat a few weeks ago, and
they have contacted their attorneys as well as experts at the Electronic
Frontier Foundation (EFF) for advice. At issue is whether ongoing research
in digital rights management or development of encryption protocols puts the
organization at risk. 

"Our lawyers have cautioned us not to disregard the threat, but the
likelihood of the IETF being challenged under DMCA is very small," says
Scott Bradner, the IETF's external liaison and a director of the IETF's
transport area. 

Bradner adds that the public image of a copyright holder that sued the IETF
for trying to improve Internet security would be badly damaged. 

"There's a theoretical liability, but I don't believe there's an actual
liability," Bradner adds. 

Passed in 1998, the much-maligned DMCA was a comprehensive reform of U.S.
copyright law designed to take into account advances in digital
communications. DMCA has provisions that allow the U.S. government to file
criminal charges against individuals who circumvent copyright protection
systems for commercial gain. DMCA also allows private lawsuits against
individuals who investigate the circumvention of copyright protection
systems. 

The IETF's digital rights management research - conducted by the group's
companion Internet Research Task Force - is not investigating copyright
protection systems. But "in the design of building good systems, we learn
from breaking systems," admits Thomas Hardjono, co-chair of the digital
rights management research group and a principal scientist with VeriSign. 

The research group is surveying work in digital rights management that is
being done in R&D labs, other standards bodies and in industry groups to
investigate the impact of these technologies on the IP network architecture.
Launched six months ago, the research group has met twice. 

At this point, the IETF has no plans to shut down or scale back the digital
rights management research effort. However, the IETF leadership is
discussing changing the name of the group to lower its profile. 

John Klensin, chair of the IETF's Internet Architecture Board, which
oversees the digital rights management research, says it's important for the
IETF to do a threat analysis but it should continue with its work. 

"It's important to be very aware of these issues...and then to proceed
because the alternative is paralysis," Klensin told the digital rights
management research group at its meeting Tuesday. 

Another option is for the IETF to require companies that pitch their
security technologies as potential standards to sign a disclaimer waiving
their rights to DMCA claims, much as they already sign a disclaimer on
intellectual property claims. 

"The DMCA could run the risk of really hurting the standards process by
making people afraid to test and publish their research,'' says Cindy Cohn,
legal director at the EFF. DMCA disclaimers "would restore confidence that
the technologies that are being rolled out as standards have been thoroughly
tested and vetted." 

Two recent, high-profile DMCA cases have caused anxiety among IETF
participants and other network researchers: 

* In July, the FBI arrested Dmitry Sklyarov, a Russian computer science
student, for an alleged violation of DMCA. Sklyarov delivered a speech in a
Las Vegas hotel pointing out security holes in Adobe's eBooks software. 

* In November, Princeton University Professor Ed Felten challenged the DMCA
on free speech grounds in federal district court, but the court dismissed
the case. Felten and a team of researchers from Princeton University, Rice
University and Xerox discovered security vulnerabilities in the digital
watermark technology under development to protect music sold on the `Net.
Two recording industry groups - the Recording Industry Association of
America and the Secure Digital Music Initiative Foundation - threatened to
file suit against Felten and his team if they published their research at a
conference. After intense media scrutiny, the two groups allowed Felten to
publish his work. 

Some members of the IETF community fear that because of these cases, the
DMCA will have a chilling effect on security-related research. 

"Among academics and scientists in the security area, the level of concern
is very high," Cohn says, pointing out that some security workshops will be
held overseas next year because of DMCA. "Many foreign scientists will not
publish their work because they don't want to get arrested." 