HEWLETT PACKARD'S TROUBLING ATTEMPT TO USE THE DIGITAL MILLENIUM COPYRIGHT ACT IN THE COMPUTER SECURITY CONTEXT
By BRAD LEVANG
|Wednesday, Aug. 14, 2002|
SnoSoft is a small computer research company that recently seemed to be in big trouble. A researcher there posted, on his own accord, a link to a web page containing code that allows users to take advantage of a security hole discovered in Hewlett Packard's Tru64 UNIX operating system. Employing the code, users can bypass security measures and gain control of a computer running Tru64.
In late July, Hewlett Packard sent a letter to SnoSoft threatening to sue the company for the actions of their employee for posting a link to the code. HP threatened, in particular, to invoke the Digital Millennium Copyright Act (DMCA) - thereby marking one of the first attempts to invoke the DMCA in a computer security context. Moreover, it threatened SnoSoft employees with $500,000 fines and 5 years in jail when the DMCA case went to court.
On August 2, HP informed the world that it was not going to pursue legal action against SnoSoft. But it appears to have done so as a result of public pressure - not because it is backing down on its aggressive interpretation of the DMCA to reach SnoSoft.
HP's attempt at applying the DMCA in a new context supports opponents' fears of the controversial Act. It also underlines the importance of the public's speaking out against abuses of the DMCA.
The Controversy Over the Digital Millenium Copyright Act
Passed in 1998, the Digital Millennium Copyright Act was meant to herald a new era of copyright protection for works in an expanding digital world. Its most controversial sections address the circumvention of anti-piracy measures designed to protect copyrighted works.
The DMCA is intended to prevent unauthorized use of copyrighted works - such as bypassing a DVD's encryption and distributing copies. Toward this end, the Act criminalizes the use of circumvention technology.
Opponents argue that in so doing, the Act wrongly assumes the only use of such technology is for illegal, nefarious purposes. In fact, they argue, that is far from the case; many uses of such technology vindicate free speech and "fair use" rights.
For instance, a CD purchaser is perfectly within his or her rights - under the "fair use" doctrine that provides an exception to the copyright law - to copy the CD so he or she can listen to it in the car. Nevertheless, the DMCA technically criminalizes this activity if the listener bypasses the copy protection of the CD to make the copy.
Opponents of the DMCA feared companies would invoke the Act too broadly. So far, their fears have been realized in a long string of controversial applications of the DMCA.
Since its enactment, the DMCA has been repeatedly used as a legal weapon to silence criticism and legitimate copying. It has been used to threaten not only those who invoked their "fair use" rights to bypass DVD encryption, but also a professor who demonstrated flaws in digital watermarking protection, and the owner of Sony's robotic dog Aibo, who created custom programs for the toy dog.
Now, with HP's threat against SnoSoft, the DMCA is being used, if possible, even more aggressively - in an attempt to silence someone publicly speaking out about a flaw in Tru64's security. Recall that the DMCA was meant to stop people who employ technologies to engage in unauthorized copying of copyrighted works. Now, however, it is being employed in a wholly different context - in attempting to stop speech about technologies that have nothing to do with copyright protection, like HP's Tru64 code.
The argument that speech itself is an anti-circumvention measure is dangerous - it will tend to inhibit valuable research, discussion and innovation. The argument that HP, in protecting its code, is protecting copyright is simply untrue: HP is really trying to protect its operating system from being "hacked" and its computers from being hijacked.
That might be a worthy goal - but it has nothing to do with the DMCA. Moreover, the posting did not enable others to access HP copyrighted works. Rather, it only revealed a security hole that HP could patch before a hacker discovered it.
Why It Is Crucial For the Public To Speak Out About DMCA Misuses
It turns out that the most effective defense against the DMCA is not any legal theory, but rather the voice of the people.
For example, in a previous controversial application, Russian programmer Dmitry Sklyarov was criminally charged under the DMCA for writing a program circumventing the copyright security of Adobe's e-book. However, Adobe later dropped the charges after harsh public criticism, several protests, and myriad web pages speaking out against their actions.
Similarly, HP's about-face with respect to SnoSoft's web page was brought about not by any crack legal team, but by a massive public outcry. Soon after SnoSoft received the letter from HP, the letter started circulating on the internet. Sharp public criticism of HP followed - focusing, in particular, on its heavy-handed application of the DMCA to someone publicizing a shortcoming in one of HP's products.
Many companies would like to use the DMCA to stifle criticism and silence those who spot security problems. Unfortunately, the DMCA's broad wording makes it easy for them to send threatening "cease and desist" letters in the hope that the threat of litigation alone will act as a deterrent. Based on some of the recent court decisions regarding the DMCA, if the small SnoSoft had actually been forced to go up against the huge HP - or a federal prosecution team - with a phalanx of lawyers, few would be putting odds on SnoSoft.
Fortunately as HP learned, the public does not react favorably to companies that utilize broadly drafted legislation to strong-arm others. The swift negative reaction left HP with an obvious choice: Become known as the company that crushes free speech, or become the company that encourages public involvement in improving their products. HP wisely chose the latter.