March Prism - 2002
Down The Road
A Criminal Act?
Unequal Opportunity
Teaching Toolbox
ASEE Today
Last Word
Back Issues

A Criminal Act?


By passing a copyright protection law in 1998, Congress turned the exposure of inadequate security systems into a crime, according to a First Amendment expert, who says the Digital Millennium Copyright Act represents the worst kind of special interest lawmaking.

- By Bruce W. Sanford

They are an unlikely trio: a Russian Ph.D. student, a Norwegian teenager, and a Princeton professor. Dmitry Sklyarov, Jon Johansen, and Edward Felten are linked by software smarts and a healthy dose of derring-do. Each has been able to decode some of the most sophisticated encryption protection served up by American industry. Sklyarov peeled away the code guarding Adobe's eBook Reader. Johansen, when he was 15, developed a method of decrypting the DVDs that Hollywood studios are increasingly using to distribute movies for home viewing. And Felten authored a paper that busted the encryption techniques the recording industry was developing to protect music on CDs.

Until the September 11 terrorist attacks placed the debate over encryption back into the realm of national security, the liveliest conflicts over this controversial technology were being fought on the intellectual property front, with Sklyarov, Johansen, and Felten as its most public faces. As happens so often in our legal system, the two key principles at stake here are at odds with each other: Freedom of expression, on the one hand, and copyright protection on the other.

This is an old tension, dating back as far as the Constitution itself. “Congress shall make no law” abridging free speech, says the First Amendment, but Article I gives those same lawmakers the power to grant an “exclusive right” in the creation of literary and artistic works. First Amendment freedoms and copyright protections have been at war ever since. There were major clashes in the 1970s and 1980s—The Nation magazine tried famously, for example, to scoop the publication of President Ford's memoirs by running short excerpts and was hammered by the Supreme Court. In the 21st century, encryption has become the center of the storm.

Felten, Sklyarov, and Johansen have each had a well-publicized scrap with the Digital Millennium Copyright Act (DMCA), a 1998 federal law that criminalizes the creation or distribution of any technology that can evade the encryption used to put anti-piracy protections in place. As Professor Larry Lessig of Stanford Law School has explained, the DMCA “outlaws technologies designed to circumvent other technologies that protect copyrighted material.” In essence, Congress has managed to take a gift—the exposure of inadequate security systems—and turn it into a crime. Exposing the failures of security technologies is surely unwelcome, but it is also plainly information that people need to know. The First Amendment value of publicizing the false hopes and hype around encryption should beat out the repressive solution the DMCA represents.

The DMCA is a failure in a number of ways. From a policy perspective, the statute represents the worst kind of special interest lawmaking. The entertainment industry rushed to Congress because it knew that the encryption technology protecting its copyrights was vulnerable. But a statute such as the DMCA, by criminalizing disclosure of these weaknesses, provides confidence at the expense of a lie. The law is thus analogous to the Communications Decency Act, struck down by the Supreme Court in 1997, which perpetuated a cruel hoax on parents that the state could really act as a police officer of the Internet. When government indulges fears in this fashion, it runs the risk of legislating irresponsibly—and in violation of the First Amendment. In this post-September 11 political climate, in our haste to prevent further terrorism, will other sins follow in the name of “security”?

From a copyright perspective, the DMCA's ban on the dismantling of encryption does not take into account that the copyright statute itself permits “fair use” of protected materials; the scope of the DMCA is thus broader than the scope of copyright law. From a First Amendment point of view, the problems are even more suffocating. The DMCA turns the mere exposure of the vulnerabilities of supposedly super-encrypted secrets into a criminal offense, even if the discloser does not use these capabilities to infringe someone's copyright.

Earlier this year, for example, Felten was prepared to publish a paper revealing the weaknesses of the recording industry's encryption system for CDs, when he received a letter warning him not to take his research public. Felten initially backed down, but subsequently presented his paper in Washington, D.C. in August—and is now the named plaintiff in a lawsuit against the recording industry seeking to have the DMCA declared unconstitutional as applied to his conduct. Felten's case has an ironic twist; he only undertook this project in the first place in response to a public challenge issued by a music trade group inviting all comers to decrypt the industry's proposed security protocol.

Sklyarov's and Johansen's know-how has created similar confrontations with the DMCA. The Russian was picked up by the FBI in a Las Vegas in July while attending a conference of computer programmers, where he was scheduled to make a presentation on how his company, Elcomsoft, had developed a program to permit owners of Adobe's Reader to work around certain features of electronic books protected by encryption and customize the files for their use. Adobe's complaint was that Elcomsoft's technology could also be used by software pirates to steal these “e-books” and sell them on the black market.

After his arrest in Las Vegas, Sklyarov was put in prison for a short time, a brazen step that The Washington Post called “one of the most oppressive uses of the law to date.” As for Johansen, after he publicized his ability to unlock the encrypted code protecting DVDs, a U.S. Web site posted his work online. Eight Hollywood studios sued the Web site, and in August 2000 a federal district judge in New York ruled in their favor after a bench trial, putting aside the First Amendment objections to the DMCA.

Threats, detentions, prosecutions. The DMCA protects copyrights by punishing those who do no more than show the public how supposedly secure encryption systems are easily breached. By debunking myths surrounding the impenetrability of encryption, Sklyarov, Felten, and Johansen are fulfilling a function similar to whistleblowers or government officials who “leak” classified information. The First Amendment protects such “leaking” not only for the benefit of the speaker but also for the benefit to the public from ensuring that it is not duped by falsely placed assurances. We are more secure the more free we are to explore the state of our security.

The DMCA has thus far proved tough to dent, however. A federal appeals court ruled in favor of the Hollywood studios in November. On the very same day, a federal trial judge in New Jersey dismissed Felten's complaint. Sklyarov was permitted to return to Russia in December with charges against him dropped, but only after agreeing to provide testimony against Elcomsoft. That trial is scheduled to begin in April.


Taking It to Court

The courts are only beginning to address the extent to which First Amendment protection should exist for the authoring of source code to encrypt or decrypt electronic communications and software applications. Some see source code—the text of a computer program as written in a language such as Pascal—as sufficiently expressive to merit the full protections that the First Amendment affords language. Others say that source code is merely a set of instructions that command a computer to perform some function and therefore is best thought of as conduct rather than speech. If this law were able to develop mostly in the intellectual property arena, where academics such as Felten would carry the flag, the source code of encryption might eventually have a fighting chance to be accorded significant First Amendment protection.

But the public face of encryption is now a mug shot, and it belongs to Osama bin Laden. Free speech values will square off not against copyright interests but against the needs of the nation's war on terrorism. These changed circumstances are sure to influence the way the law of encryption unfolds. (Were libel law to have matured not during the civil rights era but in our age of saturation celebrity coverage and Gary Condit politics, for example, the press might not enjoy the liberties it currently has.) As the encryption debate shifts from CDs and DVDs to governmental efforts to regulate and limit the export of the technology itself, support for First Amendment protection for the source code of encryption may well be viewed as a luxury unaffordable in dangerous times.

In the 1990s, many in government began to view the proliferation of encryption technologies as a serious threat to national security. In 1993, the Clinton Administration proposed a key escrow technology, widely known as the “clipper chip,” that would have required makers of encryption software to provide law enforcement agencies with “back-door” access to the codes needed to crack encrypted messages if a need arose. Concerns about personal privacy and effectiveness doomed the clipper chip—what terrorist or criminal would use an encryption package whose “keys” were on file with the FBI?—though Sen. Judd Gregg (R-NH) has indicated his interest in bringing this issue back to the legislative agenda in the wake of the September 11 attacks.

In addition to the clipper chip debates, the 1990s also saw much dispute over the use of export controls to curb the spread of encryption. For a time, strict limitations were in place under the Export Administrative Regulations (EAR). There are still two ongoing challenges to these rules, one by Daniel Bernstein, who teaches mathematics and computer science at the University of Illinois, the other by law professor Peter Junger of the Case Western University School of Law. Both ran afoul of EAR when they sought to publicize their work on the creation of encryption systems. Bernstein won a stunning victory in a federal appeals court in 1999—a three-judge panel ruled that his publishing activity was protected by the First Amendment and that export controls were an unconstitutional prior restraint—but the full court agreed to rehear the case. With the case still unresolved, the Justice Department may now find the court more receptive to arguments that the ability to regulate encryption is essential to our national security.

The outcome of this litigation may tell us a lot about where the law of encryption is heading and whether the First Amendment will serve as a strong check on governmental regulation in this area. While it's true that by the time President Clinton left office the export controls on encryption were largely gone (U.S. software makers were able to persuade his administration that the export ban was largely useless because foreign companies took the lead in encryption development while we were stalled in dispute), the September 11 attacks will reinvigorate the hands of those who seek to control encryption. Fear of bin Laden, not Sklyarov or Felten, has seized the stage, and that is bad news for advocates of free and open access to this technology and the source code behind it.


Bruce W. Sanford is a partner with sBaker & Hostetler LLP in Washington D.C.
The author gratefully acknowledges the contributions of
Bruce D. Brown and Fred Underwood.
Sanford can be reached by e-mail at