[Upd-discuss] Article: Copyright Loophole May Let Corporations Duck Scrutiny
Andy Oram
andyo@oreilly.com
Thu, 16 Mar 2000 14:55:12 -0500 (EST)
http://www.oreilly.com/~andyo/ar/filter_copyright.html
March 15, 2000
COPYRIGHT LOOPHOLE MAY LET CORPORATIONS DUCK SCRUTINY
by Andy Oram
[1]American Reporter Correspondent
CAMBRIDGE, MASS.--Imagine that a company loses a lawsuit for a faulty
product that caused deaths or severe damage, but manages to have the
court records sealed as part of the settlement. (This routinely
happens.) Imagine further that they have to report some details about
the case in an annual report. When the report is distributed through
standard channels, an enraged shareholder can legally pass it to a
reporter and the reporter can quote it. But in the future, a company
may choose to email the report, lightly encrypted, and claim a
violation of its "technical self-help protection measures" when the
truth hits the newsstands.
This danger is why we should pay attention to a story of apparently
minimal significance that turned up around March 8 in some of the
computer trade news sites and online discussion groups. On its surface,
the story looked like just another lark by young hackers. But to the
discerning eye it opened up a chasm onto corporate irresponsibility.
The blustering company in this case was [2]Symantec, a long-time vendor
of filtering software called I-Gear that promises to keep kids from
viewing sleazy Web pages or engaging in saucy online chats. As always
happens when someone seriously evaluates one of these software
packages, the results showed that the choices of what to block were
arbitrary, unfair, spotty, and sometimes even bizarre.
"The blocked pages included a 75 K page written entirely in Latin, a
description of a milking machine system written in Spanish, and volumes
4 and 6 of `The Decline and Fall of the Roman Empire'," wrote Bennett
Haselton, who delved into I-Gear's code and posted the
http://cryptome.org/igear-fire.htmhttp://cryptome.org/igear-fire.htm">
results on his [3]PeaceFire anti-filter site.
Most filter companies are secretive about what sites they block; they
claim that the information represents a competitive advantage over
other filtering software. Its more likely that revealing the list would
cause customers to question the reliability, if not the sanity, of
those doing the rating. The question is whether customers have a right
to know what the products they use are doing under the hood--and whether
free speech protects those who try to warn them.
There are several ways to figure out what Internet sites are being
blocked; the simplest is just to try various common Web sites or
keywords and see what fails to get through. But for maximum visibility,
some programmers like to crack the files of blacklisted Web sites
distributed with filtering programs. For this purpose, experts use
reverse engineering, a technique for figuring out what code is doing
that has exploited by professional computer users ever since
programming languages were invented.
But reverse engineering and code-cracking have been under attack over
the past few years. The campaign began in scattered law clauses and
initially appeared to affect only a few small constituencies, such as
companies developing products that competed with popular software
packages. But experts in computer science predicted from the beginning
that such bans would lead to abuses by a wide range of companies trying
to avoid having their practices brought to light--and they were right.
The first shots fired were in an audio recording act of the early
1990s, and then the massive [4]Digital Millennium Copyright Act of
1998. The companies pushing these laws planned to use encryption (or
scrambling) to keep people from copying their products, and anticipated
that someone would be able to break the encryption.
Thus, the laws made it a crime to manufacture or distribute any device
whose "primary purpose" was to overcome such technical protection
measures. As narrowly as the legislators tried to word such
prohibitions, they represented an astonishing restriction on the
freedom to do research and engineering.
It took a couple years for the dire predictions of computer scientists
and free-speech advocates to hit. Then the DMCA was employed in a
widely publicized lawsuit by the manufacturers of DVDs and the motion
picture industry. When someone decrypted their weak controls so that
people could play DVDs on Linux systems, these companies undertook the
daunting job of prosecuting everyone they could find who posted the
offending software on a Web site.
Even this show of corporate muscle, however, stayed within the realm of
copyright debates. The movie studios and DVD makers simply wanted to
control the use of their wares (a goal opposed to the customers'
traditional right to make use of a product any way they want). Symantec
is threatening to use copyright law for an entirely different end: to
keep the public from examining and discussing its actions.
Haselton had a sense this was coming; back on February 22 he published
an [5]appeal to defend the DVD decryption sites and to fight [6]UCITA,
a proposed law that would enshrine the restrictions software companies
like to put on reverse engineering. (Almost any commercial software you
buy, if you check the license, will prove to include a ban on reverse
engineering, but unless UCITA is passed the ban is unsupported by court
precedent.) The current threat by Symantec is by no means the first
that Haselton has suffered for his efforts to educate filter users.
Isn't it bizarre that Symantec claims to hold a copyright on
information coded deep in hidden files? Copyright is for things that
the creator wants people to see, like this article. In software,
copyright has traditionally been used to prevent an employee from
jump-starting a new company by reusing code from a previous firm.
Copyright is a powerful weapon, so any attempt to broaden its
definition is dangerous.
Symantec is on shaky ground in claiming that Haselton has misused their
intellectual property, whether they invoke copyrights or trade secrets.
But we still don't know how the courts will rule on the use of the
DMCA, or UCITA (which was passed into law yesterday by the state of
Virginia and is under consideration by most other states).
Thus, the trend among companies with something to hide is to use
intellectual property as their shield. While Symantec wants to keep its
filters secret, an automobile manufacturer can't keep a consumer
advocate from opening the hood of a car and checking how its engine
filters air. But in the future, an automobile manufacturer might embed
the complexities of its filtering in a computer chip and use the
Symantec defense to keep consumer advocates from investigating its
practices.
So the story of the I-Gear fight should be bigger news. It's bigger
than technical questions of computer security, even bigger than the
debate over Internet censorship. We're talking about the right to share
information about corporate practices, and that touches everyone.
__________________________________________________________________
Cyber Rights moderator, Computer Professionals for Social
Responsibility--[7]cyber-rights-owner@cpsr.org
Editor, O'Reilly & Associates--[8]andyo@oreilly.com
Author's [9]home page
Other [10]articles in chronological order
[11]Index to other articles
References
1. http://www.american-reporter.com/
2. http://www.symantec.com/
3. http://www.peacefire.org/
4. http://lcweb.loc.gov/copyright/legislation/hr2281.pdf
5. http://slashdot.org/features/00/02/21/1745232.shtml
6. http://www.badsoftware.com/uccindex.htm
7. mailto:cyber-rights-owner@cpsr.org
8. mailto:andyo@oreilly.com
9. http://www.oreilly.com/people/staff/andyo/index.html
10. http://www.oreilly.com/people/staff/andyo/professional/article.html
11. http://www.oreilly.com/people/staff/andyo/policy/index.html
__________________________________________________________________
This article can be redistributed online, with author and newspaper
attributions intact, for non-profit use. For printing or commercial
use, please contact Joe Shea, publisher of the American Reporter, at
JoeShea1@ix.netcom.com.