Information security principles and practices

DMCA

The Digital Millennium Copyright Act (DMCA) is a controversial United States digital rights management law enacted October 28, 1998. The intent behind the DMCA was to create an updated version of copyright laws to deal with the special challenges of regulating digital material. Broadly, the goal of the DMCA is to protect the rights of both copyright owners and consumers. The law complies with the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances and Phonograms Treaty, both of which were ratified by over fifty countries in 1996.

This paper discusses the controversy surrounding the DMCA and why attempts to resolve these issues are now necessary.

The impact of the DMCA on organizations is far reaching. Key highlights include the DMCA's enforcement to:

Make it a crime to circumvent anti-piracy measures built into most commercial software.

Prevent the manufacture, sale, or distribution of code-cracking devices used to illegally copy software. Cracking of copyright protection devices is allowed to conduct encryption research, assess product interoperability, and test computer security systems.

Require service providers to remove material from users' Web sites that appears to constitute copyright infringement.

Require that "webcasters" pay licensing fees to record companies.

Require that the Register of Copyrights, after consultation with relevant parties, submit to Congress recommendations regarding how to promote distance education through digital technologies while "maintaining an appropriate balance between the rights of copyright owners and the needs of users."

The DMCA provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances. And, it limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students. The DMCA also limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.

The DMCA exemptions, in many areas, are not broad enough such as the case with reverse engineering. The DMCA generally prohibits circumvention of technological protection measures such as reverse engineering. The DMCA contains a limited exception to the ban on circumvention, which permits reverse engineering of the technology by specific classes of people for limited purposes. For example, the exception allows reverse engineering of computer programs if the reverse engineer lawfully obtains the program, seeks permission from the copyright owner, only uses the results of their efforts to create an interoperable computer program and does not publish the results. Further, the resulting program must only interoperate with the reverse engineered software and cannot interoperate with the technologically protected content such as movies, books and videos. Under the DMCA, engineers may also develop programs that facilitate reverse engineering for their own use or the use of others if they meet the above test.

In many instances, experts argue that the DMCA exceptions are far too narrow to be useful for many reverse engineering needs. While the reverse engineering exemption permits software programmers to develop and distribute circumvention tools as part of their projects, there are significant limitations over who can do so and in what manner they can do it. The DMCA mandates that only the person who performs the reverse engineering can provide the information necessary to achieve interoperability to others. Therefore, collaborative project environments conducted over the Internet, such as those used by many open source software developers may be considered illegal. Even if the sharing of information regarding circumvention is done for the purpose of developing an interoperable product, its placement on the Internet may be interpreted as "trafficking" under the circumvention device ban.

Many of the country's most prominent computer scientists and technologists tried to prevent the passage of the DMCA by signing a letter to the United States Congress warning that the DMCA would "imperil computer systems and networks throughout the United States, criminalize many current university courses . . . And severely disrupt a growing American industry in information security technology."

Specifically, critics charge that the act makes it illegal to circumvent protection schemes, even if the end-use purpose is legal. This means that a company could violate the DMCA provisions by performing full system backups with images that include anti-piracy-protected software. Others are concerned with the ramifications of making it illegal to traffic in tools that can circumvent protections. As a result, some developers of some security products have pulled their products from the market. One example is a company called LaBrea that sold a tool to trap worms by disguising its destination Web address. LaBrea decided to remove the application for fear that he would be charged with a crime. The DMCA has also been used by some companies to attempt to establish a monopoly. Lexmark, for example, charged makers of third-party ink cartridges with violating the DMCA when they made their cartridges compatible with a chip that Lexmark uses, arguing that the ink-cartridge makers broke copy protection to achieve compatibility.