Declaration of Michael Reiter
in Felten v. RIAA (Aug. 13, 2001)
Grayson Barber (GB 0034)
Frank L. Corrado (FLC 9895)
(Additional Counsel listed on signature page)
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY
I, Michael Reiter, hereby declare:
1. I am an active computer security researcher and Director of Secure Systems Research in Bell Labs, Lucent Technologies, Murray Hill, New Jersey. This declaration is made on my own behalf and does not necessarily represent the position of my employer or any other party. Attached hereto as Exhibit A is my current curriculum vitae. The facts stated in this declaration are known to me of my own personal knowledge or, if stated on information or belief, I believe them to be true. If called upon to testify to the matters in this declaration, I could and would competently do so.
2. Based on my experience, the Digital Millenium Copyright Act (DMCA) is perceived by many in the computer security research community as a threat to the free publication of scientific results in certain areas of computer security research. This perception has been exacerbated by the actions taken by the RIAA and SDMI against the Craver et al. paper that was to be presented at the 2001 Information Hiding Workshop (see below) and by the arrest of Dimitry Sklyarov. As a computer security researcher, I am concerned about DMCA liability. In one case of which I am aware (described below), a non-U.S. researcher has expressed concerns over his personal safety if he were to submit to a U.S. conference a research result that he thought might violate the DMCA, and subsequently declined to submit the paper for this reason.
3. Also based on my experience, there is considerable uncertainty among computer security researchers and professional associations as to the liabilities that conference organizers might incur if they accept a paper for presentation or publication that might be construed as violating the DMCA. As I will describe below, a workshop for which I am serving as General Chair is facing this issue presently, and another conference in which I am involved is anticipating this issue. For this reason, I am spending time and energy interacting with the respective sponsoring organizations to find some resolution.
Past: The 2001 Information Hiding Workshop
4. I served as a member of the Program Committee of the 2001 Information Hiding Workshop, held in Pittsburgh, Pennsylvania on April 25(27, 2001. As is typical for scientific meetings, the Program Committee was charged with evaluating submitted papers for technical quality, research contribution, and appropriateness for the workshop. On these bases, the Program Committee was to select a subset of these submissions for presentation at the workshop and publication in the workshop proceedings.
5. The Program Committee of the 2001 Information Hiding Workshop accepted a submission by Craver et al., entitled "Reading between the lines: Lessons from the SDMI challenge".
6. On April 17, 2001, I received an email from the Program Chair of the Information Hiding Workshop. The email was addressed to the Program Committee. In the email, the Chair described a letter he received (by copy) from Matthew Oppenheim, Secretary the SDMI Foundation, suggesting that the Craver et al. paper may violate the DMCA (among other things). The email further raised the possibility of liability of conference organizers, and stated, "I think the only ones on the hook might be [the General Chair], and myself, but I would be remiss if I did not alert you to the potential issues."
7. On April 19, 2001, I received an email from the Program Chair that was reportedly a copy of a letter he sent to the authors of the Craver et al. paper, the RIAA, and others. It requested that all parties come to an agreement to permit presentation and publication of the paper at the workshop. It further required that the Program Chair receive written permission from the parties involved before he would permit the Craver et al. paper to be presented.
8. On April 24, 2001, I met with Ross Anderson (founder of the Information Hiding Workshop series, and a Program Committee member) and John McHugh (the General Chair). We decided to reverse the Program Chair's withdrawal of the Craver et al. paper, and to permit the presentation of the paper at the workshop. Ross Anderson informed the Program Committee of this decision by email on April 24. This was followed by an email explanation from John McHugh.
9. I was unable to attend the Information Hiding Workshop, and so cannot speak directly to the events that transpired there. However, it is my understanding that the authors of the Craver et al. paper chose to not present the paper at the workshop due to ongoing pressures that they were experiencing.
10. As a Program Committee Member of the 2002 Information Hiding Workshop, I have provided input into the planning for this workshop. The Program Committee voted to hold the workshop at a European location, and it is my understanding that the DMCA was the reason that no bids to host the workshop were encouraged from U.S. scientists.
Present: The 2001 Workshop on Security and Privacy in Digital Rights Management
11. I am presently serving as General Chair of the 8th ACM Conference on Computer and Communications Security (CCS), to be held in Philadelphia, Pennsylvania on November 5(8, 2001. This conference is the flagship computer security conference of the Association for Computing Machinery (ACM). In my capacity as General Chair, I also oversee the Workshop on Security and Privacy in Digital Rights Management, being held as part of this conference.
12. On July 30, 2001, I received an email from the Program Chair of the Workshop on Security and Privacy in Digital Rights Management. This email included, by forward, another email from a researcher, Niels Ferguson, who had written to the Program Chair. This forwarded email read:
In his note, the Program Chair expressed deep concern over this issue and its ramifications not only for the author, but also for the workshop and the ACM. He explicitly requested that the Program Committee not be asked to attempt to determine the legality of submissions. Rather, he asked that they be allowed to evaluate submissions based on appropriateness for the workshop and technical merit, as is customary for scientific conferences.
13. Prompted by the inquiry described in Paragraph 12, I approached (via email) several members of the leadership in ACM to understand the liabilities both that the author might incur and that workshop organizers might incur by accepting papers that could violate the DMCA. I approached the Chair of the ACM Special Interest Group on Security, Audit, and Control(the sponsoring SIG for the CCS conference(on July 31, 2001. On his advice, I have since addressed this issue to several other members of the ACM organization. It has been vaguely suggested that the Association Professional Liability insurance maintained by the ACM might provide some protection for ACM members serving as conference organizers. However, as I have not seen a copy of this insurance, I cannot verify the extent of any protections this might offer. Moreover, any protections that it might offer would be limited to ACM members. ACM membership is not required for a person to serve as a conference organizer, and I expect that several are not ACM members. At the time of this writing, I have not received a satisfactory answer to offer to the Program Chair of the workshop.
14. On August 3, 2001, I received an email from the Program Chair informing me of the submission of two papers to the workshop that, in his opinion, might present problems with respect to the DMCA. These papers are apparently unconnected with the inquiry described in Paragraph 12. Indeed, it is my understanding that Niels Ferguson, the author of the inquiry described in Paragraph 12, has decided to not submit his paper to the workshop, citing the DMCA as the cause.
Future: The 2002 IEEE Symposium on Security and Privacy
15. I am presently serving as Vice Chair of the IEEE Technical Committee on Security and Privacy (TCSP), and will assume the role of Chair in 2002. This technical committee sponsors the IEEE Symposium on Security and Privacy, the flagship computer security conference of the Institute of Electrical and Electronics Engineers (IEEE). This symposium is held each May in Berkeley, California.
16. On July 24, 2001, I received an email addressed to the TCSP leadership from the Program Co-Chair of the 2002 IEEE Symposium on Security and Privacy. This email reported that a discussion was presently taking place in the Program Committee to understand the ramifications of the DMCA to the conference. The email cited the Craver et al. (Felten) case and the Sklyarov arrest, and raised the question of how to react to the submission of a paper that might be construed as violating the DMCA. It reported that there was a suggestion from a member of the committee to move the conference outside the U.S., breaking with a 21-year tradition of being held in Berkeley.
17. Following the email described in Paragraph 16, a discussion ensued among the TCSP leadership. Suggestions ranged from discouraging submission of papers that might violate the DMCA to asking the IEEE for advice. It was determined that I would approach the IEEE with this issue. I approached members of the IEEE organization with an email inquiry on July 26, 2001, and plan to discuss it with them soon.
I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct and was executed at Murray Hill, New Jersey on this the 9th day of August, 2001.
Attorneys for Plaintiffs
Please send any questions or comments to firstname.lastname@example.org.