passing a copyright protection law in 1998, Congress turned the exposure
of inadequate security systems into a crime, according to a First Amendment
expert, who says the Digital Millennium Copyright Act represents the
worst kind of special interest lawmaking.
By Bruce W. Sanford
an unlikely trio: a Russian Ph.D. student, a Norwegian teenager, and
a Princeton professor. Dmitry Sklyarov, Jon Johansen, and Edward Felten
are linked by software smarts and a healthy dose of derring-do. Each
has been able to decode some of the most sophisticated encryption protection
served up by American industry. Sklyarov peeled away the code guarding
Adobe's eBook Reader. Johansen, when he was 15, developed a method of
decrypting the DVDs that Hollywood studios are increasingly using to
distribute movies for home viewing. And Felten authored a paper that
busted the encryption techniques the recording industry was developing
to protect music on CDs.
the September 11 terrorist attacks placed the debate over encryption
back into the realm of national security, the liveliest conflicts over
this controversial technology were being fought on the intellectual
property front, with Sklyarov, Johansen, and Felten as its most public
faces. As happens so often in our legal system, the two key principles
at stake here are at odds with each other: Freedom of expression, on
the one hand, and copyright protection on the other.
an old tension, dating back as far as the Constitution itself. Congress
shall make no law abridging free speech, says the First Amendment,
but Article I gives those same lawmakers the power to grant an exclusive
right in the creation of literary and artistic works. First Amendment
freedoms and copyright protections have been at war ever since. There
were major clashes in the 1970s and 1980sThe Nation magazine tried
famously, for example, to scoop the publication of President Ford's
memoirs by running short excerpts and was hammered by the Supreme Court.
In the 21st century, encryption has become the center of the storm.
Sklyarov, and Johansen have each had a well-publicized scrap with the
Digital Millennium Copyright Act (DMCA), a 1998 federal law that criminalizes
the creation or distribution of any technology that can evade the encryption
used to put anti-piracy protections in place. As Professor Larry Lessig
of Stanford Law School has explained, the DMCA outlaws technologies
designed to circumvent other technologies that protect copyrighted material.
In essence, Congress has managed to take a giftthe exposure of
inadequate security systemsand turn it into a crime. Exposing
the failures of security technologies is surely unwelcome, but it is
also plainly information that people need to know. The First Amendment
value of publicizing the false hopes and hype around encryption should
beat out the repressive solution the DMCA represents.
is a failure in a number of ways. From a policy perspective, the statute
represents the worst kind of special interest lawmaking. The entertainment
industry rushed to Congress because it knew that the encryption technology
protecting its copyrights was vulnerable. But a statute such as the
DMCA, by criminalizing disclosure of these weaknesses, provides confidence
at the expense of a lie. The law is thus analogous to the Communications
Decency Act, struck down by the Supreme Court in 1997, which perpetuated
a cruel hoax on parents that the state could really act as a police
officer of the Internet. When government indulges fears in this fashion,
it runs the risk of legislating irresponsiblyand in violation
of the First Amendment. In this post-September 11 political climate,
in our haste to prevent further terrorism, will other sins follow in
the name of security?
copyright perspective, the DMCA's ban on the dismantling of encryption
does not take into account that the copyright statute itself permits
fair use of protected materials; the scope of the DMCA is
thus broader than the scope of copyright law. From a First Amendment
point of view, the problems are even more suffocating. The DMCA turns
the mere exposure of the vulnerabilities of supposedly super-encrypted
secrets into a criminal offense, even if the discloser does not use
these capabilities to infringe someone's copyright.
this year, for example, Felten was prepared to publish a paper revealing
the weaknesses of the recording industry's encryption system for CDs,
when he received a letter warning him not to take his research public.
Felten initially backed down, but subsequently presented his paper in
Washington, D.C. in Augustand is now the named plaintiff in a
lawsuit against the recording industry seeking to have the DMCA declared
unconstitutional as applied to his conduct. Felten's case has an ironic
twist; he only undertook this project in the first place in response
to a public challenge issued by a music trade group inviting all comers
to decrypt the industry's proposed security protocol.
and Johansen's know-how has created similar confrontations with the
DMCA. The Russian was picked up by the FBI in a Las Vegas in July while
attending a conference of computer programmers, where he was scheduled
to make a presentation on how his company, Elcomsoft, had developed
a program to permit owners of Adobe's Reader to work around certain
features of electronic books protected by encryption and customize the
files for their use. Adobe's complaint was that Elcomsoft's technology
could also be used by software pirates to steal these e-books
and sell them on the black market.
his arrest in Las Vegas, Sklyarov was put in prison for a short time,
a brazen step that The Washington Post called one of the most
oppressive uses of the law to date. As for Johansen, after he
publicized his ability to unlock the encrypted code protecting DVDs,
a U.S. Web site posted his work online. Eight Hollywood studios sued
the Web site, and in August 2000 a federal district judge in New York
ruled in their favor after a bench trial, putting aside the First Amendment
objections to the DMCA.
detentions, prosecutions. The DMCA protects copyrights by punishing
those who do no more than show the public how supposedly secure encryption
systems are easily breached. By debunking myths surrounding the impenetrability
of encryption, Sklyarov, Felten, and Johansen are fulfilling a function
similar to whistleblowers or government officials who leak
classified information. The First Amendment protects such leaking
not only for the benefit of the speaker but also for the benefit to
the public from ensuring that it is not duped by falsely placed assurances.
We are more secure the more free we are to explore the state of our
has thus far proved tough to dent, however. A federal appeals court
ruled in favor of the Hollywood studios in November. On the very same
day, a federal trial judge in New Jersey dismissed Felten's complaint.
Sklyarov was permitted to return to Russia in December with charges
against him dropped, but only after agreeing to provide testimony against
Elcomsoft. That trial is scheduled to begin in April.
are only beginning to address the extent to which First Amendment protection
should exist for the authoring of source code to encrypt or decrypt
electronic communications and software applications. Some see source
codethe text of a computer program as written in a language such
as Pascalas sufficiently expressive to merit the full protections
that the First Amendment affords language. Others say that source code
is merely a set of instructions that command a computer to perform some
function and therefore is best thought of as conduct rather than speech.
If this law were able to develop mostly in the intellectual property
arena, where academics such as Felten would carry the flag, the source
code of encryption might eventually have a fighting chance to be accorded
significant First Amendment protection.
public face of encryption is now a mug shot, and it belongs to Osama
bin Laden. Free speech values will square off not against copyright
interests but against the needs of the nation's war on terrorism. These
changed circumstances are sure to influence the way the law of encryption
unfolds. (Were libel law to have matured not during the civil rights
era but in our age of saturation celebrity coverage and Gary Condit
politics, for example, the press might not enjoy the liberties it currently
has.) As the encryption debate shifts from CDs and DVDs to governmental
efforts to regulate and limit the export of the technology itself, support
for First Amendment protection for the source code of encryption may
well be viewed as a luxury unaffordable in dangerous times.
1990s, many in government began to view the proliferation of encryption
technologies as a serious threat to national security. In 1993, the
Clinton Administration proposed a key escrow technology, widely known
as the clipper chip, that would have required makers of
encryption software to provide law enforcement agencies with back-door
access to the codes needed to crack encrypted messages if a need arose.
Concerns about personal privacy and effectiveness doomed the clipper
chipwhat terrorist or criminal would use an encryption package
whose keys were on file with the FBI?though Sen. Judd
Gregg (R-NH) has indicated his interest in bringing this issue back
to the legislative agenda in the wake of the September 11 attacks.
to the clipper chip debates, the 1990s also saw much dispute over the
use of export controls to curb the spread of encryption. For a time,
strict limitations were in place under the Export Administrative Regulations
(EAR). There are still two ongoing challenges to these rules, one by
Daniel Bernstein, who teaches mathematics and computer science at the
University of Illinois, the other by law professor Peter Junger of the
Case Western University School of Law. Both ran afoul of EAR when they
sought to publicize their work on the creation of encryption systems.
Bernstein won a stunning victory in a federal appeals court in 1999a
three-judge panel ruled that his publishing activity was protected by
the First Amendment and that export controls were an unconstitutional
prior restraintbut the full court agreed to rehear the case. With
the case still unresolved, the Justice Department may now find the court
more receptive to arguments that the ability to regulate encryption
is essential to our national security.
of this litigation may tell us a lot about where the law of encryption
is heading and whether the First Amendment will serve as a strong check
on governmental regulation in this area. While it's true that by the
time President Clinton left office the export controls on encryption
were largely gone (U.S. software makers were able to persuade his administration
that the export ban was largely useless because foreign companies took
the lead in encryption development while we were stalled in dispute),
the September 11 attacks will reinvigorate the hands of those who seek
to control encryption. Fear of bin Laden, not Sklyarov or Felten, has
seized the stage, and that is bad news for advocates of free and open
access to this technology and the source code behind it.
W. Sanford is a partner with sBaker & Hostetler LLP in Washington
The author gratefully acknowledges the contributions of
Bruce D. Brown and Fred Underwood.
Sanford can be reached by e-mail at firstname.lastname@example.org.