Copyright Management Systems and the DMCA

Rachna Dhamija
IS296A: Economics of Intellectual Property
Spring 1999

I. Introduction

II. Copyright Management Systems

What are Copyright Management Systems?
What are CMS used for?

III. The Digital Millennium Copyright Act

What is the DMCA?
What is the history of the DMCA?

IV. What the DMCA Says and Why it is Problematic

Section 1201- Circumvention of Copyright Protection Systems
Section 1202- Copyright Management Information

V. Legal and Technical Solutions

Recommendations to the Librarian of Congress
Building Fair Use and Privacy into CMS

References

Bibliography and Resources

Introduction

The Digital Millennium Copyright Act (DMCA) is a large and complex law. The technologies it regulates are also themselves complex. Hard as they are to understand, both the DMCA and the copyright management systems (CMS) it regulates have potential far reaching effects on freedom of speech, fair use, consumer privacy and information security.

My goal is to make both the DMCA and CMS more comprehensible to non-lawyers and non-technologists alike. Parts of this Act are currently being (re)evaluated and it is therefore important to understand its implications and problems. I will focus here only on Title I of the DMCA, which deals with circumvention of CMS and copyright management information (CMI), although other sections of the law are equally worthy of attention [1].

Copyright Management Systems

What are Copyright Management Systems (CMS)?

"Copyright management systems (CMS) technologies that enable copyright owners to regulate reliably and charge automatically for access to digital works are the wave of the very near future. The advent of digital networks, which make copying and distribution of digital content quick, easy, and undetectable, has provided the impetus for CMS research and development. CMS are premised on the concept of "trusted systems" or "secure digital envelopes" that protect copyrighted content and allow access and subsequent copying only to the extent authorized by the copyright owner. Software developers are testing prototype systems designed to detect, prevent, count, and levy precise charges for uses that range from downloading to excerpting to simply viewing or listening to digital works." [2]

What are CMS used for?

This section outlines the major functions of rights management technology. These functions include access control, use control, integrity protection, identification, usage metering, payment and copyright management. [3] Some examples of existing systems are also provided.

A. Access Control

A first set of functions are those that prevent access to and use of a work. By controlling access one can control the use of information; if it cannot be accessed, it cannot be used. Access control can be provided at the source of the content (e.g., password protection for a web based publication) or at the level of the user or receiver of the information (e.g. devices used to decrypt or descramble a signal). Access control can also control initial access to information (e.g. a CD-ROM which requires a one-time password to access it) or subsequent access (e.g. a shareware program that "times-out" so that it only works for a limited duration or fixed number of times).

An example is IBM's cryptolopes which are "encrypted envelopes", that "lock" (encrypt) information upon transmittal and require a password before they can be "unlocked" (decrypted).

B. Use Control

The second category of functions prevents certain uses of the work after it has been accessed. Copy protection is the most common type of use control, but control of other operations is possible.

A well known example of copy protection is the Serial Copy Management System (SCMS) in DAT recorders. SCMS permits first-generation digital-to-digital copies of prerecorded music and other audio works, but prohibits multi-generation or "serial" copies. (Note that this system does not prevent copying entirely, but that it simply prevents a digital work from serving as a "master" for subsequent digital copies because the subsequent copies will be of reduced quality). In the US, the AHRA mandates that SCMSs be built into digital home recording devices.
An example of other use controls is FileOpen software. FileOpen provides plug-in programs written to work with popular commercial document creation and viewing packages (e.g., Adobe's Acrobat, Microsoft Office, Lotus Notes, Netscape Navigator and Microsoft Internet Explorer browsers). These plug-ins allow publishers to create documents in which they can limit the user's ability to open, print, copy, edit, excerpt, etc. "Unlike competing products, which protect documents by encasing them in a data "container" with a different file format and extension, the FileOpen system encourages the distribution of documents in their native format. Put simply, the FileOpen system places security structures into documents rather than placing documents into security structures."

C. Integrity Protection

A third set of functions is to prevent a work from being altered, i.e. to protect the integrity of the work.

For example, Surety's Digital Notary Service uses cryptographic techniques to seal the contents of digital works in time by providing a means of detecting tampering and by attaching a timestamp to the data.
Another example is the use of "fragile watermarks". Digital watermarks can be embedded into graphic, audio, and video digital data files to carry information relating to copyright ownership or other types of information. The watermark is not detectable to the human eye or ear but can be identified by software. "Fragile watermarks" have the additional property that the work they are embedded in can "self destruct" if the watermark is tampered with. [4]

D. Content Description and Identification - A fourth function of many rights management systems involves tagging documents or portions of documents to support identification, search and retrieval.

Persistent identifiers- For example, the Digital Object Identifier (DOI) System is a system for assigning, managing, and resolving persistent identifiers, known as "handles," for digital objects. Handles can be used as Uniform Resource Names (URNs), so no matter how a document changes or where it moves to on a network, the handle will stay the same and will allow people to find the document.

Metadata- Watermarks can be used to attach metadata (information about information) to a work. For instance, one could include metadata about a photograph -- author's address, terms of use, copyright date, info about the photographer and image-- along with the image itself. The data about the photograph would be encoded with the digital rendition and would never be lost.

Persistent identifiers and metadata can be used to support:

Rights establishment- the ability to establish rules governing the terms, conditions and fees for using digital works
- For example, digital rights may include transport rights (rights to copy, transport or loan), render rights (to view, play or print), derivative work rights (right to extract, embed or edit).
- For example, the Xerox Digital Rights Language defines sixteen types of rights which can instruct trusted hardware to control what the consumer is allowed to and not allowed to do with the work. As another example, many photocopiers and scanners and are equipped with watermark detecting abilities and can prevent copying or scanning of a work if certain watermarks are present. [5,6]
Rights enforcement
- to identify true copyright holder (e.g., by embedding rights holder information in a watermark)
- to identify or locate a particular copy of data and its user (e.g., by including serial numbers in the work which can be matched to owner or user identities in a rights management database)
- to identify or locate "illegal" copies or infringers. Some examples include:
  - Playboy uses Digimarc's watermarking scheme and their MarcSpider service to find unauthorized uses of Playboy images. Digimarc's watermarking technology, which is integrated into Photoshop and other graphics programs, allows artists to save images with embedded copyright information in each image. Digimarc's MarcSpider then crawls the Web looking for images with the embedded metadata. Once an unauthorized site is found, Playboy attorneys can send a cease-and-desist letter to the violators or proceed with more serious legal action.
  - Cyveillance downloads millions of web pages and Usenet newsgroups each day looking for copyright infringers on behalf of their clients.
  - Business Software Alliance's (BSA) antipiracy campaign and products- BSA's provides a free "Software Scanner Audit Tool" designed to help people find licensed and unlicensed software installed on computer systems.

E. Usage Metering - A fifth set of functions allow the rightsholder to track the frequency a work is accessed, or to monitor other uses (e.g. copying), rather than to access or use. This allows the rightsholder to obtain an audit trail of the actual usage made of a work (for billing or statistical purposes), to bill for each instance of a use or to spot violations of the terms of a license.

These methods can also be used to support "superdistribution", i.e. they can provide the rightsholder with continuing revenue regardless of who holds the copy of the work. If the original purchaser were to disseminate it further, the rights management system would provide the rightsholder with data on subsequent usage and could allow the rightsholder to receive compensation for each subsequent use. [7,8]

For example, the Tragoes RightsMarket system "is based on the concept of Useright not copy protection. Useright is the right to use content regardless of how the content was acquired... RightsMarket enabled content calls home periodically to authorize and report its use...The rightsholder can use the metering information to drive the billing process and...can also use that information to set pricing, new product development decisions, and produce new marketing and sales approaches. The meter information is used by the rightsholder to decide on what steps to take with shrinkage (piracy). "

Another example is Softlock.com who claims that its "persistent security technology stops electronic shoplifting (piracy) not just during the initial download, but forever. Because SoftLock-enabled content can be securely sampled, electronically purchased and redistributed, SoftLock.com...keeps intellectual property secure while generating valuable marketing data and sales revenue no matter how many times the content is copied and redistributed - in fact, more copies means more data and revenue."

F. Payment- It is possible to enable automatic and simultaneous payment to the rightsholder for each actual use made of a work, through online transaction schemes.

For example, Copyright Direct is an electronic copyright management service (developed and operated by YBP Publishing Services) that automates permissions and purchase transactions for print and electronic content. Linked to CyberCash, it collects payment from users and forwards payments with an activity report to rightsholders on a monthly basis.

G. Copyright Management Systems- Any subset of the above functions have been combined in various full-blown "electronic copyright management systems". Normally, they cover more than measures preventing access or use and are intended to facilitate the trade in copyrights or copyrighted works within a networked environment.

For example, Liquid audio (LA) claims that its "Liquifier" is the only audio encoding tool which provides both anti-copy and anti-piracy protection. LA files are encrypted so that only an intended LA player can play it. LA uses digital watermarking helps to prevent piracy by providing a mechanism to identify bootleg copies of a recording. As part of the encoding process, the Liquifier embeds a watermark in the audio stream that can be decoded during playback. Even if a LA recording or, "Liquid Track", is written to a CD is still contains the traceable digital watermark that was embedded at the time of encoding. The watermark identifies copyright ownership and other information binding the Liquid Track to the creator. When the file is downloaded, an additional mark is added that uniquely identifies that particular copy of the Liquid Track and the downloaders information. LA claims that its watermarks cannot be removed without seriously degrading the sound quality of a recording. If a suspected pirate copy is obtained these watermarks can be extracted to provide an electronic audit trail for the authorities. In addition, the Liquifier imposes use controls (it is supposedly able to enable or disable writing to CD, control of how many copies are made, and expiration dates).

Other examples of CMS include: Imprimatur, Copyright Direct , IBM's cryptolopes and Tragoes RightsMarket

The Digital Millennium Copyright Act

What is the DMCA?

On October 12, 1998, Congress passed the Digital Millennium Copyright Act (DMCA), which makes major changes in U.S. copyright law to address the digitally networked environment. This section discusses the law's first title which implements the World Intellectual Property Organization (WIPO) Internet Treaties. Title I of the DMCA was intended to amend the U.S. copyright law to comply with the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty (adopted at the WIPO Diplomatic Conference in December 1996).

Two of the major provisions in the WIPO treaties require legal remedies against circumventing technological protection measures and tampering with copyright management information. To comply with these provisions, the DMCA adds a new chapter, Chapter 12, to Title 17 of the United States Code. Many scholars have commented that the DMCA goes above and beyond what was necessary to comply with WIPO, that it is overreaching and skewed in favor of rightsholder interests. [9,10].

What is the history of the DMCA?

The history of the DMCA is an interesting one and sheds light on why the Act appears to be skewed in favor of media industry interests. Samuelson suggests that "the battle in Congress over the anti-circumvention provisions of the DMCA was a battle between Hollywood and Silicon Valley." [11] The history of the Act illuminates why certain exceptions were made and who they were made for.

Samuelson provides a good summary of its history of the Act [12]
TheDigital Future Coalition provides a "Timeline to Passage" that illustrates the major actions undertaken to pass the Digital Millennium Copyright Act, tracks legislation that either competed with or became part of the final version of the DMCA and links to Congressional testimony.
DMCA Congressional testimony can also be found at http://thomas.loc.gov by searching the Congressional Record for "Digital Millennium Copyright Act."

What the DMCA Says and Why it is Problematic

SECTION 1201- CIRCUMVENTION OF COPYRIGHT PROTECTION SYSTEMS

The "Anti-Circumvention" provision

The Digital Millennium Copyright Act of 1998 states that "[n]o person shall circumvent a technological protection measure that effectively controls access to a work protected under this title." [13]

To 'circumvent a technological measure' means to "descramble a scrambled work, to decrypt and encrypted work, to otherwise avoid bypass remove deactivate or impair a technological measure, without the authority of the copyright owner"

And a 'technological measure' "effectively controls access to a work or otherwise to avoid bypass remove or deactivate or impair a technological measure without the authority of the copyright owner"

It is important to note that this provision applies to the act of circumvention in general, regardless of whether or not the circumvention infringes any protected property rights. [14] Effectively, accessing to the protected work itself, even without the intent to commit copyright infringement, is enough to trigger this provision and its penalties.

This prohibition on unauthorized access takes effect two years after enactment on the DMCA. Over this two year period, the Librarian of Congress is to conduct an "on the record" rulemaking proceeding to determine what the potential harm and benefits of this provision are and if any classes of work should be exempted from this rule.

The "Anti-Device" provision

The act states that no person can "manufacture, import, offer to the public, provide or otherwise traffic in any technology, product, service, device, component, or part thereof, that is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work." [15]

In an attempt to ensure that legitimate multipurpose devices can continue to be made and sold, the prohibition applies only to those devices that:

(1) are primarily designed or produced for the purpose of circumventing;
(2) have only a limited commercially significant purpose or use other than to circumvent; or
(3) are marketed for use in circumventing.

Unlike the prohibition on acts of circumvention, which takes effect in two years, the prohibition on the manufacture and distribution of circumvention devices takes effect immediately.

Problems with section 1201:

The biggest problem with the provisions above is that they outlaw technology rather than simply criminalizing violations of copyright. Gene Spafford, a computer science professor, makes the analogy that this provision "is akin to banning the development and sale of automobiles to curtail drunk driving, or criminalization of the sale of paper and ink to prevent the possibility of libel." [16]
A second problem is that in practice, the anti-device provision will override any protections for legitimate uses that the "anti-circumvention" provision provides (see exception provisions below). There will always be a few sophisticated individuals who may be able to circumvent CMS on their own, however most people will rely on software or devices developed and made available by others. Even if some instances of copying are protected under the anti-circumvention provision, these protections are meaningless if the devices needed to access technically-protected information are not available. One legal scholar, Yochai Benkler, likens this situation to allowing people to copy television broadcasts for their own use, but at the same time prohibiting the manufacture and sale of VCRs. [17]
The definitions of the terminology used in the Act are unclear and how they will be interpreted by the courts remains to be seen:
- What is a "technological measure" for protecting copyrighted material? It is likely that strong encryption would qualify as such a technological measure. Would weak or poorly designed encryption also qualify? What about password protection used to protect content on websites? How about data compression? Could compilation qualify as a technological measure making decompilation illegal? [18]
- What does it mean to effectively control access? What if someone claimed to have produced a system that prevents you from copying or reading a file, but is ineffective? Are they entitled to some extra legal treatment simply because they claimed to have protected their content? Joan Feigenbaum voiced concerns that software vendors should not be able to hide bad security implementations behind the law and that such protections "promote bad security" [19].
Most importantly, the DMCA raises constitutionality questions:
- The Librarian of Congress has been asked to evaluate whether there are any classes of works that certain users should be permitted to access, even if they are technically protected. It is possible then that the Librarian could exempt certain classes of works from the "anti-access" ban, but that the mechanisms for gaining access will not available because of the "anti-device" ban. For example, suppose that the Librarian of Congress deems that certain people should be allowed to circumvent the technical protections on news articles in order to be able to provide criticism and commentary about them. However, because of the device ban, there is no means to view, print or read the news articles. Benkler views this as an abridgment of the constitutionally guaranteed Freedom of the Press.
  "Remember that Congress was so unsure of the extent to which the prohibition on circumvention will limit the freedom of criticism, commentary, scholarship, teaching, and news reporting that Congress postponed the effective date of the direct prohibition for two years. The prohibition on manufacture, importation, or sale, however, is effective immediately. What this means is that, without knowledge of the effects on First Amendment interests, and in the officially acknowledged absence of such knowledge, the manufacture, importation, and sale of presses are being prohibited. It would appear that any attempt to enforce the prohibition prior to the Librarian's determination must be held an unconstitutional abridgment of the freedom of the press. After the Librarian's determination, it would still be hard to justify this sweeping prohibition as long as some nontrivial amount of circumvention is privileged." [20]
- Can developers of software used to circumvent technical protections be prohibited from publishing the source code of the software? A recent 9th Circuit court of appeals decision stated that federal export regulations that limited the ability of a professor to post encryption software on his web page constitute a prior restraint on speech that offends the First Amendment [21]

Rights (supposedly) Not Affected

The DMCA states that nothing in section 1201 should affect the rights and limitations of existing copyright law, the "rights, remedies, limitations, or defenses to copyright infringement, including fair use". [22] Nor does it lessen or expand the existing doctrines of "vicarious and contributory liability" [23]

Problems:

Rights management technologies may reverse the Internet trend toward access rights and reset the balance in favor of exclusion. This shifting of the rights allocation may significantly abridge the three doctrines that had guaranteed access rights under copyright law: public domain, first sale and fair use. [24]

Public domain- Rights management systems may constrict the public domain. Currently, the copyright holder loses exclusive rights to his work at the end of the copyright term. As long as some form of the work exists in an available and unrestricted format, the information will eventually fall into the public domain. However, many fear that digital works held by technical protection systems may never be released. In fact, many secure systems are designed to offer persistent protection [they never leave the protection of a secure container] and some have the ability to "self destruct" (the data contained within is erased) if they are tampered with.
First Sale doctrine- Rights management technologies may nullify the first sale doctrine. Currently, copies of a copyrighted work can be freely transferred after the initial purchase. The first sale doctrine permits books and music to be loaned or resold by limiting copyright owner's ability to control the distribution of their work beyond the initial distribution. TPS threaten this.
- For example, if I wanted to give a digital copy of a book to a friend that was protected by the Tragoes RightsMarket system, my friend would have to first become an authorized Tragoes user (by agreeing to the license terms and conditions) in order to access the book.
Finally, Rights Management technologies may expunge the fair use doctrine. Currently, fair use is a defense to copyright infringement. If the issue of infringement is never reached because rights management protection prevents infringement before it can occur, then the fair use question never arises.
- In the famous 1984 Sony Betamax case [25], the U.S. Supreme Court rejected the attempt of the major movie studios to have VCRs declared illegal under the theory that they could be used only primarily for copyright infringement. The Supreme Court held that the sale of VCRs was not illegal because VCRs could be used for "commercially significant noninfringing uses" such as creating copies of broadcast television programs for later personal, noncommercial use. The court viewed this type of copying as "fair use" under copyright law, even if the copying was not authorized by the copyright owner.
- Many observers believe that this same "fair use" analysis should apply to the creation of digital copies of legitimately-acquired songs for non-commercial personal use. Let's say that a consumer wants to encode her CD collection or songs which she legitimately purchased into the unprotected MP3 format (e.g., in order to manage her playlists using the MusicMatch database or to play them on her Rio player). Should she be prohibited by law from doing so? What if she also wants to incorporate her technically protected music (e.g., Liquid Audio, a2b songs) into her Musicmatch database so that all of her music can be managed by one software package. Should this also be prohibited? The record industry thinks so. [26,27]
- Assuming that this type of copying is "fair use," shouldn't software that was primarily designed for this purpose, such as Audiojacker or Total Recorder be legally available to make these personal use copies if the technological protection measures surrounding a song would otherwise prevent copying? If the DMCA's statement that it does not affect the fair use defense is to have any real meaning, then the answer must be yes. Otherwise, by linking to software applications such as this on my web page, am I liable under the anti-device provision for "provid[ing] or other wise traffic[ing] in a technology....that is primarily designed or produced for the purpose of circumventing a technological measure"?

Exceptions to 1201

After lobbying by libraries, the high- tech industry and other affected parties and after intervention by the Commerce committee, Congress recognized that there may be legitimate reasons for circumvention. In response, Congress provided a number of exceptions to the prohibition on circumvention and circumvention devices. The seven exemptions reflect a wide range of specialized concerns.

While the exemptions respond narrowly to a variety of concerns, they do not address the most fundamental problem. This is that the anti-circumvention provisions will prohibit anyone from using works protected by technological measures without permission, even for privileged purposes. Below, I provide some examples of legitimate uses not covered by the exceptions. To remedy the gaps in protection of legitimate uses, Samuelson has suggested that there is a need for "or other legitimate purposes" exception to access control rule. [28]

This section describes the exceptions that were adopted and some of their implications and shortcomings.

Nonprofit libraries, archives, and educational institutions The first of these exemptions gives nonprofit libraries, archives, and educational institutions a "shopping privilege", which permits them to gain access to a work without authorization, in order to "make a good faith determination" of whether to purchase the work, and only when circumvention is the only way to make that determination. [29]

Problems:

This exemption is according to Benkler, quite the opposite of an exemption because "it threatens to nullify a number of real exemptions that the Copyright Act recognizes for nonprofit libraries, archives, and educational institutions. For example, a library is privileged to copy a single article from journals or collections it owns, if it gives the copy to an individual user for "private study, scholarship, or research. Relying on this exemption, a library could defensibly circumvent the protection measures of an online journal to which it subscribes in order to make a copy for an individual user. But the goods-inspection exemption would preclude that defense. The same is true of other exemptions that the Copyright Act provides to libraries and schools. The result is the very real expectation that libraries will be hampered in their capacity to provide inexpensive, widely available access to digitized materials". [30,31]
It is interesting to note that the provision does not specifically permit the development and distribution of the devices that would be necessary for these organizations to circumvent CMS, even for "shopping privilege" purposes.

Exception for Law Enforcement and Intelligence Activities. The DMCA permits circumvention for any lawfully authorized investigative, protective, or intelligence activity by or at the direction of a federal, state, or local law enforcement agency, or of an intelligence agency of the United States.[32]

Reverse Engineering Exception allows software developers to circumvent technological protection measures of a lawfully obtained computer program in order to identify the elements necessary to achieve interoperability of an independently created computer program with other programs. A person may reverse engineer the lawfully acquired program only where the elements necessary to achieve interoperability are not readily available and reverse engineering is otherwise permitted under the copyright law. Furthermore, a person may develop and employ technological means to circumvent and make available to others the information or means for the purpose of achieving interoperability. [33]

Problems:

Achieving interoperability may be the primary reason to reverse engineer software, but it certainly isn't the only legitimate reason for reverse engineering. Because the DMCA only allows reverse engineering for the 'sole purpose of interoperability', the following efforts may be criminalized:
- Gene Spafford offers an example of using reverse engineering when a new computer virus is discovered. It is necessary to reverse-engineer the programs that are affected to discover how the virus spreads, how to remove it to disinfect the programs, and how to build defenses against future encounters with the same virus. [34]
- Reverse engineering is also necessary to fix Y2K software bugs [35]
- Reverse engineering is also useful for improving upon existing products, to make them more secure or to add features, for example. [36]
- Several universities offer detailed coursework in software disassembly and reverse-engineering as a method to impart software engineering and other skills to their students.

Encryption Research Exception. Congress provided an encryption research exception intended to advance the state of knowledge in the field of encryption technology and to assist in the development of encryption products. Circumvention in the course of "good faith encryption research" may be allowed if the following conditions are met [37]:

(1) the researcher lawfully obtained the copyrighted work;
(2) circumvention is necessary for the encryption research;
(3) the researcher made a good faith effort to obtain authorization from the copyright owner before the circumvention; and
(4) circumvention is otherwise permissible under the applicable laws.

In addition to the above factors, the DMCA directs the court to consider three other factors:
(1) whether the information derived from the research was disseminated to advance the knowledge or development of encryption technology or to facilitate infringement;
(2) whether the researcher is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced in the field of encryption technology; and
(3) whether the researcher timely notifies the copyright owner with the findings and documentation of the research.

A person may provide the means to develop technical protection systems to a collaborator for the sole purpose of performing "good faith" encryption research.

Problems:

In many instances it is unpractical for academic researchers to obtain authorization before performing encryption research. What if a good faith effort is made to obtain authorization, but authorization is not granted? Should this preclude a researcher from evaluating, testing, or improving upon the system in question? By asking for authorization beforehand, it also becomes harder to guarantee that the security evaluations will occur under realistic conditions.

How are collaborators defined? It is common for researchers to publish their research findings on the web and in journals so that their findings can be reviewed, analyzed, discounted or improved upon by the world wide security research community.

The biggest problem is that this exemption authorizes encryption research, but not security research. Encryption research is only one subfield in the area of information security. Researchers specializing in other security fields, such as network security or secure operating systems, may also be required to circumvent CMS in the course of their research, but they are not covered by the encryption research exemption. Even an exemption for general security research may be too narrow, for it will not cover other CMS related research in areas such as image and audio compression techniques. Advancements in fields such as these are necessary to advance the state of the art in CMS. It is quite ironic that the very law designed to protect CMS may actually serve to stifle their advancement.

Several universities offer detailed coursework in software disassembly, reverse-engineering, penetration analysis, and related fields as a means of training information security professionals. This is not done to violate the property rights of any software owners but to provide an appropriate education in an area of critical national need. The DMCA, because it does not have an exemption for general information security research could be interpreted as prohibiting such education, labeling it as "trafficking in certain technologies... that can be used to circumvent a technological protection measure."

Security Testing Exception. In addition to the encryption research exception, the DMCA provides a security testing exception, which permits circumvention conducted in the course of security testing if it is otherwise legal under applicable law. Security testing is defined as "obtaining access, with proper authorization, to a computer, computer system, or computer network for the sole purpose of testing, investigating or correcting a potential or actual security flaw, or vulnerability or processing problem."

In determining whether this exception is applicable, the DMCA requires the court to consider whether the information derived from the security testing was used solely to improve the security measures or if it was used to facilitate infringement. The DMCA also permits the development, production or distribution of technological means for the sole purpose of performing permitted acts of security testing. [38]

Problems:

Again, the requirement for "proper authorization" prior to security testing can be problematic, for the reasons discussed above. In addition, many software vendors are often not able or not willing to test their products. Allowing software companies to make the decision about whether or not to hack their products themselves is bad for security according to Spafford. "When these packages are released into the marketplace, they are adopted by thousands of businesses. With the significant emphasis on cost-cutting and interoperability, these "COTS" (commercial, off-the-shelf) packages are also widely adopted by U.S. government agencies and the military. Upon release, these packages are intensely scrutinized by hackers, spies, and criminals throughout the world as they search for flaws they can exploit. The same packages are also examined by hundreds of computer users, searching for flaws so as to protect their own systems. When these "good guys" find flaws, they report them to the vendors and the user community so that the flaws can be fixed. While real criminals will not be dissuaded, [this law] in any of its forms, will almost certainly restrict those who wish to search and report flaws in "good faith." [39 ]

Products such as network scanners, that are routinely used to find security holes unknown to network administrators, may no longer be legal to develop, sell, distribute or use under this provision. (Scanners, such as the ISS scanner, SATAN and SANTA, are available from multiple sources. Some are shareware while others are commercially available).

Exception Regarding Minors. The DMCA permits the manufacture of technologies whose "sole purpose is to prevent the access of minors to materials on the Internet" as long as they are not included in a product which does not itself violate the provisions of Title I. [40]

Problem: This is yet another example of an exception that is too narrowly tailored to cover all legitimate uses:

This exception was intended to protect the manufacture of firewalls or filtering devices designed to intercept the transfer of adult copyrighted material. Again, Congress did not foresee that consumers may have a legitimate desire to block other types of copyrighted Internet traffic. For example many people choose to block advertisements and others choose to block images and applications in order to improve network performance or because they do not have any use for them (e.g., many blind users block images while deaf users block audio files).

Given the above examples, it is strange that the act focuses on minors when many adults, workplaces, etc. would also like to take advantage of these filtering features.

Protection of Personally Identifying Information. The DMCA addresses personal privacy concerns by allowing people to circumvent a technical measure if the technical measure collects or disseminates personally identifying information about a user's online activities. This exception is only applicable and only if disabling data collection or dissemination is the sole effect of the circumvention. This exception is only applicable if the user is not provided with adequate notice and the capability to prevent or restrict such collection or dissemination. [41, 42]

Problems:

Many of the examples of CMS I have described in previous sections require the collection of a user's identity and allows monitoring of usage to support billing or royalty payments. In these systems, any circumventions to prevent personal data collection or dissemination may also have other secondary effects on necessary system functionality (e.g., preventing billing or royalty payments) and are therefore not permitted.

One can hope that this exemption will provide incentive for CMS manufacturers to provide privacy notices to the consumer and the ability to opt out, in order to avoid the perception that consumers can modify their system.

Ironically, systems that absolutely require monitoring to function properly, have virtually no incentive to provide notice and opt out provisions, because tampering with them is not permitted in any case.

Unless privacy notices and the ability to opt out become standard and manufacturers compete for the level of privacy protection they can provide, there is little incentive for manufacturers to develop anonymous or pseudonymous systems.

More importantly, because this provision does not specifically permit the development and distribution of circumvention technologies that can be used to achieve privacy, and because these circumvention technologies are banned the anti-device provision, the entire exemption is weakened.

Certain Analog Devices and Certain Technological Measures. The last exemption requires home VCRs to conform to two forms of copy control technology (the automatic gain control technology and the colorstripe copy control technology) that will permit owners of video programming to lock certain programming and prerecorded movies. The exemption prohibits use of this locking technology for video signals transmitted over the air and over channels transmitted on cable as part of the basic service tiers. This provision prohibits tampering with these analog copy control technologies to render them ineffective by redesigning of video recorders or by intervention of "black box" devices or "software hacks." This provision becomes effective in eighteen months. [43]

SECTION 1202- COPYRIGHT MANAGEMENT INFORMATION

The DMCA prohibits tampering with copyright management information (CMI). Specifically, the DMCA creates liability for any person who intentionally provides or distributes false CMI. Also, the DMCA prohibits intentional removal or alteration of CMI or knowing distribution of illegally modified CMI. To be covered by the DMCA, CMI must be "conveyed in connection" with a copyrighted work and CMI may constitute any of the following:

(1) information that identifies the copyrighted work, including the title of a work, the author, and the copyright owner;
(2) information that identifies a performer whose performance is fixed in a work, with certain exceptions;
(3) in case of an audiovisual work, information that identifies the writer, performer, or director, with certain exceptions;
(4) terms and conditions for use of the work;
(5) identifying numbers or symbols that accompany the above information or links to such information, for example, embedded pointers and hypertext links; or
(6) other information as the Register of Copyrights may prescribe by regulation

However, there is an exception to protect the privacy of users. The term CMI does not include "any personally identifying information about the user of a work", nor can regulation require that CMI contain such information. [44]

Problems with 1202:

CMI can be a very integral part of a rights management system. In many systems, the CMI can be linked to or travel with works to monitor use of the work, enable billing, facilitate detection of unauthorized uses and promote the payment of royalties.
CMI is particularly useful for copy detection. For example, online watermarking services allow information providers to embed a copyright label in image or video data. Rather than attempt to prevent the illicit copying and dissemination of proprietary information, the labeling technique discourages it by making misuse of unauthorized documents traceable (whether the unauthorized copies are online or on the consumers PC) and by providing evidence.
At first I was relieved to discover that Congress had the foresight to prevent CMI from containing privacy violating information. In many systems today it is possible for rightsholders to trace user information and use history over time via CMI.
One additional item that the Register of Copyrights should require is a detailed description of the information that the CMS is collecting and how that information will be used. The consumer should be able to view this notice at any time.
I am also very surprised that law enforcement and broadcast and cable systems are the only parties given exemptions to this provision [45]. There are many legitimate reasons that one would want to tamper with CMI. I will provide 2 examples, but many more are possible:

Suppose a photographer (let's call her Alice) embeds watermark A into a digital image to identify it the photograph as her own. She posts this image on the web where it is downloaded by someone (let's call him Bob) who wishes to misappropriate the image as his own. It is trivial today for Bob to be able to insert another watermark B into the image such that it appears that the image is really Bob's work. Alice should certainly have the ability to tamper with Bob's watermark to attempt to prove that hers was embedded first [technical note: while in some instances, it may not be possible to determine whether A or B was embedded first, Alice should certainly not be prohibited from attempting to try to prove that hers were embedded first].
The most common occurrence of CMI tampering today is that done by researchers who desire to advance the state of the art in techniques used to embed CMI into digital works (e.g., data hiding, watermarking and steganography). Researchers will need to tamper with watermarks and other embedded information to make them more resistant to attacks. I myself have used a device (a software program named StirMark developed by Peticolas) to successfully remove watermarks from copyrighted images (where the watermarks were generated by programs such as Digimarc, SysCoP, Pretty Good Signature, SureSign). I did not remove the watermark to gain access to the work, since I already had access to it, but simply to test the resistance of the CMI to attack.

By my interpretation of the law, the above examples are not covered by the exemptions to section 1201, because 1201 only applies to circumventions that involve gaining access to a work, where 1202 seems to apply strictly to removing or altering CMI. It seems that academic researchers engaged in this type of activity can be held civilly liable, while those outside libraries, archives, and educational institutions can be held criminally liable for engaging in legitimate security testing and evaluation of the techniques used to embed CMI in copyrighted works. (see next section on penalties). It is not clear to me why any of the exceptions provided in 1201, including an exception for encryption research, general security research and security testing, are not just as important here.

Because the definition of CMI includes "terms and conditions for use of the work" and "identifying numbers or symbols that accompany the above information", the definition is broad enough to cover CMI which would also control access to a work (e.g., CMI that instructs trusted hardware to control uses of the work). In this case, tampering with a CMI might therefore violate both sections 1201 and 1202.

Civil Remedies and Criminal Penalties

The DMCA creates civil remedies and criminal penalties for violations of Sections 1201 or 1202. A civil action may be brought in a federal district court. The court has broad powers to grant injunctions and award damages, costs and attorney's fees. The court may also order the impounding, the remedial modification or the destruction of the devices or products involved in the violation. The court may punish repeat offenders by awarding treble damage awards. Generally, it is up to the court to decide whether to reduce damage awards against innocent violators. But, in the case of nonprofit library, archives or educational institutions, the court must remit damages if it finds that a qualifying entity had no reason to know of the violation. The DMCA prescribes significant criminal penalties for violations committed "willfully and for the purposes of commercial advantage or private financial gain." Criminal penalties are inapplicable to nonprofit libraries, archives, and educational institutions. The civil remedies and sanctions are available irrespective of the state of mind or knowledge of the person circumventing the technological protection measure. Both criminal and civil sanctions apply to circumvention per se, whether or not the underlying use is privileged. [46]

Legal and Technical Solutions-

Recommendations to the Librarian of Congress

Building Fair Use and Privacy into Technical Protection Systems

References

[1] The changes to copyright law have significant implications for libraries, archives, and institutions of higher education. Of particular importance, is the fact that sections of the DMCA contain detailed regulations for online service providers that must be followed to obtain protection from liability for infringement. Educational institutions are expected to educate their communities about copyright law and compliance. Other portions of the law will require the community to develop processes for collecting information and conducting studies to ensure the long-term protection of fair use and other copyright exceptions.

[2] Julie E Cohen, "Some Reflections on Copyright Management Systems and Laws Designed to Protect Them", 12 Berkeley Technology Law Journal (1997), available at

[3] Protection of Technical Measures IMPRIMATUR project legal study, Institute for Information Law of the University of Amsterdam, November 1998, available at http://www.imprimatur.alcs.co.uk/IMP_FTP/technical.pdf

[4] see the Web Reference Guide to Watermarking, available at http://www.webreference.com/multimedia/watermarks.htm

[5] Mark Stefik, "Shifting the Possible: How Trusted Systems and Digital Property Rights Challenge Us to Rethink Digital Publishing", 12 Berkeley Technology Law Journal (1997), 137;160, available at

[6] Stefik, Internet Edge

[7] Tom W Bell, "Fair Use vs. Fared Use: The Impact of Automated Rights Management on Copyright's Fair Use Doctrine", 76 North Carolina Law Review (1998), 557;619, available at

[8] Cox, Superdistribution

[9] Pamela Samuelson, Intellectual Property and the Digital Economy: Why the Anti-Circumvention Regulations Need to Be Revised, 13 Berkeley Tech. L.J. (forthcoming1999), available at

[10] Yochai Benkler, Free as the Air to Common Use: First Amendment Constraints of the Public Domain New York University Law Review, Volume 74, No. 2 (May, 1999) http://www.nyu.edu/pages/lawreview/74/2/benkler.pdf

[11] Samuelson, page

[12] Samuelson, page

[13] See Digital Millennium Copyright Act of 1998, codified at 17 U.S.C. § 1201(a) (1998)

[14]

[15] 17 U.S.C. § 1201(a)(2), (b) (1998)

[16] see Gene Spafford, WIPO Letter From the InfoSec Community, signed by 48 leading security professionals http://www.cs.purdue.edu/homes/spaf/WIPO/#Text

[17] Benkler,

[18] Barbara Simons raises these issues in a Communications of the ACM column entitled Outlawing Technology , available at http://www.acm.org/serving/outlaw.html

[19] Joan Feigenbaum, speaking to SIMS IS296A section 3 about Copyright Management Systems and the DMCA

[20] Benkler, page

[21] U.S. 9th Circuit Court of Appeals, BERNSTEIN v USDOJ held that the challenged export regulations, which required Bernstein to get a license from the government before he could post his encryption software on the web, constitute a prior restraint on speech that offends the First Amendment, court opinion available at
http://caselaw.findlaw.com/cgi-bin/getcase.pl?court=9th&navby=case&no=9716686

[22] The basic analysis for direct copyright infringement is relatively straightforward and rooted in a well-settled federal statutory scheme. Under Section 106 of the Copyright Act, courts examine whether one or more of the copyright owner's five exclusive rights have been violated. These include the reproduction right, the derivative works right, the distribution right, the performance right, and the display right. See 17 U.S.C. Section 106. If infringement is found, the next step in the analysis often centers on whether this infringement constitutes fair use under Section 107.

[23] Contributory infringement originated in tort law and stems from the notion that one who directly contributes to another's infringement should be held accountable. Judicially created by analogy to patent law, it has been deemed applicable today in the areas of copyright, patent, and trademark. Acts of contributory infringement generally fall into one of two categories: (1) personal conduct that contributes and thus furthers direct infringement, or (2) contribution of a 'machine or good' which provides a means to infringe.

[24] Harvard Law Review, draft article

[25] cite Sony

[26] see EFF Consortium for Audiovisual Free Expression (CAFE), who are trying to equate audio "format shifting" with the VCR "time shifting", which was declared as a commercially significant noninfringing use by the Supreme Court in Sony, http://www.eff.org/cafe/

[27] see Wired news article " Music Biz Builds Time Bomb" SDMI backers want manufacturers to build a time-bomb trigger into their products that, when activated at a later date, would prevent users from downloading or playing non-SDMI-compliant music. The hardware would Initially support UP3 and other compressed file formats, but a signal from the RIGA would activate the blocking trigger, available at http://www.wired.com/news/news/technology/story/19682.html

[28] Samuelson, pages 17-20

[29] 17 U.S.C. § 1201(d) (1998)

[30] Benkler, page

[31] See http://www.arl.org/info/frn/copy/dmca.html

[32] 17 U.S.C. § 1201(e) (1998)

[33] 17 U.S.C. § 1201(f) (1998)

[34] see Spafford letter

[35] see September 14 letter sent by the presidents of eight major scientific societies to members of Congress expressing their grave concern about HR2281, http://www.cs.purdue.edu/homes/spaf/WIPO/ssl.txt

[36] See the IEEE Technical Committee on Software Engineering subcommittee on Reverse Engineering and Reengineering website for more information on legitimate reverse engineering applications http://www.tcse.org/revengr/

[37] 17 U.S.C. § 1201(g) (1998)

[38] 17 U.S.C. § 1201(j) (1998)

[39] see Spafford letter

[40] 17 U.S.C. § 1201(h) (1998)

[41] 17 U.S.C. § 1201(i) (1998)

[42] Julie Cohen discusses privacy in regard to CMS in " A Right to Read Anonymously: A Closer Look at Copyright Management in Cyberspace", available at http://38.222.224.75/sol3/paper.taf?ABSTRACT_ID=17990. also see Cohen footnote 2

[43] 17 U.S.C. § 1201(k) (1998)

[44] 17 U.S.C. § 1202 (1998)

[45] 17 U.S.C. § 1202 (d), (e) (1998)

[46] 17 U.S.C. § 1203, § 1204 (1998)

Bibliography and Resources

General Copyright Information

U.S. Copyright Office, http://lcweb.loc.gov/copyright/

DMCA

Full Text of the Digital Millennium Copyright Act H.R.2281/Public Law 105-304, http://thomas.loc.gov/cgi-bin/cpquery/z?cp105:hr796:

THE DIGITAL MILLENNIUM COPYRIGHT ACT, Analysis by Jonathan Band Morrision & Foerster LLP Washington, D.C (10/20/98), http://www.arl.org/info/frn/copy/band.html

Law Review and Law Related Articles

Selected papers by Pam Samuelson

Berkeley Law and Technology Journal Volume 12:1 in particular see :

SHIFTING THE POSSIBLE: HOW TRUSTED SYSTEMS AND DIGITAL PROPERTY RIGHTS CHALLENGE US TO RETHINK DIGITAL PUBLISHING Mark Steffik
The Intellectual Property Renaissance in Cyberspace: Why Copyright Law Could Be Unimportant on the Internet by Eric Schlachter
SOME REFLECTIONS ON COPYRIGHT MANAGEMENT SYSTEMS AND LAWS DESIGNED TO PROTECT THEM JULIE E. COHEN

N Elkin-Koren, "Copyright Policy and the Limits of Freedom of Contract", 12 Berkeley Technology Law Journal (1997), 93;114.

J Litman, "New Copyright Paradigms", available at URL http://www.msen.com/~litman/paradigm.htm.

Jessica Litman, Revising Copyright Law for the Information Age 75 Or. L. Rev. 19 (1996), http://www.law.cornell.edu/commentary/intelpro/litrvtxt.htm

Conference Paper Jessica Litman Free Speech and Electronic Commerce, http://webserver.law.yale.edu/censor/litman.htm

A Right to Read Anonymously: A Closer Look at "Copyright Management" in Cyberspace, Julie Cohen, 28 CONN. L. REV. 981, 981-89, 994-1003 (1996).

DIGITAL RIGHTS MANAGEMENT SYSTEMS AND THE FUTURE FOR COPYRIGHT LAW

Fair Use Vs. Fared Use: The Impact of Automated Rights Management on Copyright's Fair Use Doctrine by Tom W. Bell 76 N. Carolina L. Rev. 557 (1998)

Libraries & Distance Education

Digital Millennium Copyright Act Status & Analysis,http://www.arl.org/info/frn/copy/dmca.html

Overviews of Technical Protections Systems

Digital Rights Management Technologies, Northeast Consulting, October, 1995, prepared for International Federation of Reproduction Rights Organizations

Digital Copyright Protection, Peter Wayner

Trusted Systems, Mark Stefik, Scientific American, March 1997

Stefik, "Letting Loose the Light: Igniting Commerce in Electronic Publication," in Internet Dreams: Archetypes, Myths, and Metaphors (Cambridge, Mass.: MIT Press, 1996), 219-54.

Stefik, in Internet Edge

Protection of Technical Measures November 1998 -- 209K (56 pages) This report is the sixth in a series of legal studies carried out in the framework of the IMPRIMATUR project by the Institute for Information Law of the University of Amsterdam.

Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment, The Journal of the Interactive Multimedia Association Intellectual Property Project, Coalition for Networked Information, January 1994.

Tuck, Bill. Electronic Copyright Management Systems: Final Report of a Scoping Study for eLib, July 1996.

Digital Rights Architectures for Intellectual Property Protection Legal/Technical Architectures of Cyberspace (MIT student paper),
http://www-swiss.ai.mit.edu/6805/student-papers/fall98-papers/trusted-systems/trustsys.html

Please send comments regarding this page to rachna@sims.berkeley.edu