Declaration of Michael Reiter

in Felten v. RIAA (Aug. 13, 2001)

Grayson Barber (GB 0034)
Grayson Barber, L.L.C.
68 Locust Lane
Princeton, NJ 08540
(609) 921-0391

Frank L. Corrado (FLC 9895)
Rossi, Barry, Corrado & Grassi, P.C.
2700 Pacific Avenue
Wildwood, NJ 08260
(609) 729-1333

(Additional Counsel listed on signature page)
Attorneys for Plaintiffs


ASSOCIATION, a Delaware non-profit
non-stock corporation,



   Hon. Garrett E. Brown, Jr.
   Case No. CV-01-2669 (GEB)
   Civil Action




his official capacity as ATTORNEY
DOES 1 through 4, inclusive,



I, Michael Reiter, hereby declare:

1. I am an active computer security researcher and Director of Secure Systems Research in Bell Labs, Lucent Technologies, Murray Hill, New Jersey. This declaration is made on my own behalf and does not necessarily represent the position of my employer or any other party. Attached hereto as Exhibit A is my current curriculum vitae. The facts stated in this declaration are known to me of my own personal knowledge or, if stated on information or belief, I believe them to be true. If called upon to testify to the matters in this declaration, I could and would competently do so.

2. Based on my experience, the Digital Millenium Copyright Act (DMCA) is perceived by many in the computer security research community as a threat to the free publication of scientific results in certain areas of computer security research. This perception has been exacerbated by the actions taken by the RIAA and SDMI against the Craver et al. paper that was to be presented at the 2001 Information Hiding Workshop (see below) and by the arrest of Dimitry Sklyarov. As a computer security researcher, I am concerned about DMCA liability. In one case of which I am aware (described below), a non-U.S. researcher has expressed concerns over his personal safety if he were to submit to a U.S. conference a research result that he thought might violate the DMCA, and subsequently declined to submit the paper for this reason.

3. Also based on my experience, there is considerable uncertainty among computer security researchers and professional associations as to the liabilities that conference organizers might incur if they accept a paper for presentation or publication that might be construed as violating the DMCA. As I will describe below, a workshop for which I am serving as General Chair is facing this issue presently, and another conference in which I am involved is anticipating this issue. For this reason, I am spending time and energy interacting with the respective sponsoring organizations to find some resolution.

Past: The 2001 Information Hiding Workshop

4. I served as a member of the Program Committee of the 2001 Information Hiding Workshop, held in Pittsburgh, Pennsylvania on April 25(27, 2001. As is typical for scientific meetings, the Program Committee was charged with evaluating submitted papers for technical quality, research contribution, and appropriateness for the workshop. On these bases, the Program Committee was to select a subset of these submissions for presentation at the workshop and publication in the workshop proceedings.

5. The Program Committee of the 2001 Information Hiding Workshop accepted a submission by Craver et al., entitled "Reading between the lines: Lessons from the SDMI challenge".

6. On April 17, 2001, I received an email from the Program Chair of the Information Hiding Workshop. The email was addressed to the Program Committee. In the email, the Chair described a letter he received (by copy) from Matthew Oppenheim, Secretary the SDMI Foundation, suggesting that the Craver et al. paper may violate the DMCA (among other things). The email further raised the possibility of liability of conference organizers, and stated, "I think the only ones on the hook might be [the General Chair], and myself, but I would be remiss if I did not alert you to the potential issues."

7. On April 19, 2001, I received an email from the Program Chair that was reportedly a copy of a letter he sent to the authors of the Craver et al. paper, the RIAA, and others. It requested that all parties come to an agreement to permit presentation and publication of the paper at the workshop. It further required that the Program Chair receive written permission from the parties involved before he would permit the Craver et al. paper to be presented.

8. On April 24, 2001, I met with Ross Anderson (founder of the Information Hiding Workshop series, and a Program Committee member) and John McHugh (the General Chair). We decided to reverse the Program Chair's withdrawal of the Craver et al. paper, and to permit the presentation of the paper at the workshop. Ross Anderson informed the Program Committee of this decision by email on April 24. This was followed by an email explanation from John McHugh.

9. I was unable to attend the Information Hiding Workshop, and so cannot speak directly to the events that transpired there. However, it is my understanding that the authors of the Craver et al. paper chose to not present the paper at the workshop due to ongoing pressures that they were experiencing.

10. As a Program Committee Member of the 2002 Information Hiding Workshop, I have provided input into the planning for this workshop. The Program Committee voted to hold the workshop at a European location, and it is my understanding that the DMCA was the reason that no bids to host the workshop were encouraged from U.S. scientists.

Present: The 2001 Workshop on Security and Privacy in Digital Rights Management

11. I am presently serving as General Chair of the 8th ACM Conference on Computer and Communications Security (CCS), to be held in Philadelphia, Pennsylvania on November 5(8, 2001. This conference is the flagship computer security conference of the Association for Computing Machinery (ACM). In my capacity as General Chair, I also oversee the Workshop on Security and Privacy in Digital Rights Management, being held as part of this conference.

12. On July 30, 2001, I received an email from the Program Chair of the Workshop on Security and Privacy in Digital Rights Management. This email included, by forward, another email from a researcher, Niels Ferguson, who had written to the Program Chair. This forwarded email read:

I have recently completed a paper containing a practical attack on the [name omitted] content-protection system as published by [URL omitted]. I think this paper would be a perfect match for your conference. There is just one problem: the DMCA.

I would love to submit this paper and present it at your conference. However, since the arrest of a foreign national at a conference where he spoke about breaking content-protection systems, I do not feel safe in talking about this paper in the US, or even sending the paper to a US email address. On the other hand, your conference is without a doubt the most appropriate venue for publishing my paper.

In his note, the Program Chair expressed deep concern over this issue and its ramifications not only for the author, but also for the workshop and the ACM. He explicitly requested that the Program Committee not be asked to attempt to determine the legality of submissions. Rather, he asked that they be allowed to evaluate submissions based on appropriateness for the workshop and technical merit, as is customary for scientific conferences.

13. Prompted by the inquiry described in Paragraph 12, I approached (via email) several members of the leadership in ACM to understand the liabilities both that the author might incur and that workshop organizers might incur by accepting papers that could violate the DMCA. I approached the Chair of the ACM Special Interest Group on Security, Audit, and Control(the sponsoring SIG for the CCS conference(on July 31, 2001. On his advice, I have since addressed this issue to several other members of the ACM organization. It has been vaguely suggested that the Association Professional Liability insurance maintained by the ACM might provide some protection for ACM members serving as conference organizers. However, as I have not seen a copy of this insurance, I cannot verify the extent of any protections this might offer. Moreover, any protections that it might offer would be limited to ACM members. ACM membership is not required for a person to serve as a conference organizer, and I expect that several are not ACM members. At the time of this writing, I have not received a satisfactory answer to offer to the Program Chair of the workshop.

14. On August 3, 2001, I received an email from the Program Chair informing me of the submission of two papers to the workshop that, in his opinion, might present problems with respect to the DMCA. These papers are apparently unconnected with the inquiry described in Paragraph 12. Indeed, it is my understanding that Niels Ferguson, the author of the inquiry described in Paragraph 12, has decided to not submit his paper to the workshop, citing the DMCA as the cause.

Future: The 2002 IEEE Symposium on Security and Privacy

15. I am presently serving as Vice Chair of the IEEE Technical Committee on Security and Privacy (TCSP), and will assume the role of Chair in 2002. This technical committee sponsors the IEEE Symposium on Security and Privacy, the flagship computer security conference of the Institute of Electrical and Electronics Engineers (IEEE). This symposium is held each May in Berkeley, California.

16. On July 24, 2001, I received an email addressed to the TCSP leadership from the Program Co-Chair of the 2002 IEEE Symposium on Security and Privacy. This email reported that a discussion was presently taking place in the Program Committee to understand the ramifications of the DMCA to the conference. The email cited the Craver et al. (Felten) case and the Sklyarov arrest, and raised the question of how to react to the submission of a paper that might be construed as violating the DMCA. It reported that there was a suggestion from a member of the committee to move the conference outside the U.S., breaking with a 21-year tradition of being held in Berkeley.

17. Following the email described in Paragraph 16, a discussion ensued among the TCSP leadership. Suggestions ranged from discouraging submission of papers that might violate the DMCA to asking the IEEE for advice. It was determined that I would approach the IEEE with this issue. I approached members of the IEEE organization with an email inquiry on July 26, 2001, and plan to discuss it with them soon.


I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct and was executed at Murray Hill, New Jersey on this the 9th day of August, 2001.

Michael Reiter

Grayson Barber (GB 0034)
Grayson Barber L.L.C.
68 Locust Lane
Princeton, NJ 08540
phone (609) 921-0391
fax (609) 921-7405
Frank L. Corrado (FLC 9895)
Rossi, Barry, Corrado & Grassi, PC
2700 Pacific Avenue,
Wildwood, NJ 08260
phone (609) 729-1333
fax (609) 522-4927
Gino J. Scarselli
664 Allison Drive
Richmond Hts., OH 44143
(216) 291-8601 (phone and fax)
James S. Tyre
10736 Jefferson Blvd., # 512
Culver City, CA 90230-4969
phone (310) 839-4114
fax (310) 839-4602
Cindy A. Cohn
Lee Tien
Robin Gross
Electronic Frontier Foundation
454 Shotwell St.
San Francisco, CA 94110
phone (415) 436-9333
fax (415) 436-9993
Joseph P. Liu
Boston College Law School
885 Centre Street
Newton, MA 02459
phone (617) 552-8550

Attorneys for Plaintiffs

Exhibit A


Please send any questions or comments to webmaster@eff.org.