Declaration of USENIX Association

in Felten v. RIAA (Aug. 13, 2001)

Grayson Barber (GB 0034)
Grayson Barber, L.L.C.
68 Locust Lane
Princeton, NJ 08540
(609) 921-0391

Frank L. Corrado (FLC 9895)
Rossi, Barry, Corrado & Grassi, P.C.
2700 Pacific Avenue
Wildwood, NJ 08260
(609) 729-1333

(Additional Counsel listed on signature page)
Attorneys for Plaintiffs

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY

I, Eleanor Young, hereby declare:

1. I am the executive director of USENIX, the Advanced Computing Systems Association, a Delaware non-profit non-stock corporation, with its headquarters at 2560 Ninth Street, Suite 215, Berkeley, California, 94710. I have held this position since 1989.

2. Since 1975, USENIX has brought together the community of engineers, system administrators, scientists, and technicians working on the cutting edge of the computing world.

3. The official goals of USENIX and its members include: problem-solving with a practical bias; fostering innovation and research that works; communicating rapidly the results of both research and innovation; and providing a neutral forum for the exercise of critical thought and the airing of technical issues.

4. Our primary instrument for achieving these goals is our conferences, which have become essential meeting grounds for the presentation and discussion of the most advanced information on the developments of all aspects of advanced computing systems.

5. These conferences are USENIX's main source of revenue. In 2000, for example, we derived 80 percent of our revenues from conferences.

USENIX Conference

7. The main component of our conferences is the presentation of substantive scientific, engineering and technical research papers by authors. Papers presented at our conferences are published in a volume of conference proceedings, which is included as part of the conference admission and distributed to attendees at the beginning of each conference.

8. All papers presented at our conferences are first chosen by a formal referee process. We use a standard review form for all papers and rank papers submitted in a particular subject area. The top ranking papers are chosen for the conference. The competition for submission to USENIX conferences is rigorous. Generally a little less than one-third of the papers submitted for a particular topic are chosen for presentation. For instance, for the upcoming USENIX Security conference in August, 25 papers were accepted out of a total of 83 submitted.

9. The Program Committee for each conference consists of experts in the particular field that is the subject of the conference. In addition, papers are reviewed by outside experts.

10. Papers that are accepted for USENIX conferences are made available online to USENIX members for the first year after presentation. After the first year, all USENIX presented-papers are available for free on our website.

11. USENIX does not require the assignment of copyright for papers presented at our conferences. Most presenters at USENIX conferences also maintain personal or professional web pages where they make available their papers and supporting information. We ask only for an exclusive license (with the exception of the author) for online publication for the first year after presentation and we ask that authors not make their papers available until after presentation at the conference.

12. Papers presented at our conferences cover a wide range of scientific and computing topics. Exhibit A.

13. Given the nature of the field, USENIX conference papers often set forth computer programs written in source code. Attached hereto as Exhibit B is a list of USENIX papers which include source code in the paper itself, as well as those that offer the location of source code referenced within the paper.

14. Since source code often more precisely describes the tools, methods and processes implemented or explained in the underlying research, inclusion of it in USENIX papers is often required in order for the paper to pass the rigorous scientific peer-review requirements for USENIX papers.

15. USENIX maintains an online index and nearly all of the papers presented at the 73 USENIX conferences that have been held since 1993. In total, there are currently 1,406 refereed papers online at .

16. Over the years, USENIX has grown. In the six years from 1993 to October 1998 we held 45 conferences, an average of 7.5 per year, and placed 848 papers online, an average of 141 per year. Since 1998 we have held 27 conferences, an average of 11 per year and placed 558 papers online, averaging 223 per year.

17. USENIX conferences also feature more practical tutorials. Attached hereto as Exhibit D is a list of tutorials scheduled for the upcoming USENIX Security Symposium and a recent conference we held in January, 2001.

18. Both the presentations and the tutorials at USENIX conferences feature papers and computer programs that participate in the long tradition in the security field of publishing attacks on systems that are in production. An interpretation of §1201 that extends to any attack that breaks a security system that happens to be used or could potentially be used to protect copyrighted content, would include essentially the entire body of security literature that describes attacks against ciphers, protocols, and, to some extent, implementations. Examples of those include:

Steven M. Bellovin, "Problem Areas for the IP Security Protocols," in Proceedings of the Sixth USENIX Unix Security Symposium, pp. 1-16, San Jose, CA, July 1996.
Steven M. Bellovin and Michael Merritt, "Limitations of the Kerberos Authentication System," in USENIX Conference Proceedings, pp. 253--267, Winter 1991
Steven M. Bellovin, "Using the Domain Name System for System Break-Ins", in Proceedings of the Fifth USENIX UNIX Security Symposium, Salt Lake City, UT, June, 1995.
Matt Blaze, presented an Invited Talk at the USENIX Summer Technical Conference in 1994 on "Protocol Failure in the Escrowed Encryption Standard.'' (also published later at the 2nd ACM Conference on Computer and Communications Security.) Fairfax, VA., November 1994. (Also appeared in Building in Big Brother, L. Hoffman, ed. Springer, 1995.)
Lawrence Joncheray, "A Simple Active Attack Against TCP", 5th Usenix Security Symposium (1995, Salt Lake City)
Jonathan Katz and Bruce Schneier, "A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols", 9th Usenix Security Symposium, 2000, Denver.
Alec Muffet "WAN-hacking with AutoHack: Auditing Security Behind the Firewall",, 5th Usenix Security Symposium (1995, Salt Lake City)

Submission of the Felten Paper to the 10th USENIX Security Symposium

19. An example of our specific-topic conferences is the upcoming 10th USENIX Security Symposium, Aug. 13-17, 2001, Washington, D.C. Attached hereto as Exhibit is the brochure for that conference. It is also available on our website.

20. The paper at issue in this case, "Reading Between the Lines: Lessons from the SDMI Challenge," (hereinafter Felten Paper), was submitted to the Program committee for the 10th USENIX Security Conference in late May, 2001. It was submitted about a month after the deadline for the conference papers, but USENIX has in the past accepted late-submitted papers.

21. Since the paper was late, the Program Committee was first polled to see if they would consider the paper. The Committee agreed to review the paper and several members volunteered to do the standard review. Four reviews of the paper were done, including one from an outside expert. Members of the Program Committee who were co-authors of the paper recused themselves in accordance with our standard processes. The reviews were done on the standard review form used for all other papers for the Conference.

22. The reviews were then compiled in the same manner as for all other papers submitted to the referee process. The scores for the Felten Paper were inserted into the overall rankings for all of the papers. It came out as the seventh highest paper submitted. Since the top 25 papers submitted were accepted to the conference, this ranking qualified the paper for presentation at the conference.

23. The Program Committee then deliberated about the technical merits of the paper and decided to accept it.

Concerns of USENIX

24. The USENIX Program Committee, Board of Directors and Executive Committee have all raised concerns about the legal ramifications of allowing the paper to be presented at the Conference. USENIX has never had any brushes with the law, as either plaintiff or defendants. Most of the individuals involved in USENIX are academics and researchers who are seldom involved in controversy or subject to threats of litigation or criminal liability. The threats made to the organizers of the Information Hiding Workshop, which were very well publicized, were quite frightening.

25. Because of this, I consulted with legal counsel for USENIX and was informed that, in view of the situation that occurred prior to the Information Hiding Workshop, especially the letter from RIAA and SDMI sent to Professor Felten, his team, their institutions and the conference organizers, USENIX might be similarly threatened or sued for presenting and publishing the paper at its Conference and subsequently on its website and in the proceedings.

26. I was also informed that the decision of the New York District Court in Universal v. Remeirdes, could support liability for USENIX. This is because the Court held that, even if the creator of a controlled circumvention device could claim the "encryption research" exception to part of the DMCA, a subsequent publisher who did not create it but who merely publishes it is not eligible for protection of the exception and could be liable.

27. In addition, because the bulk of USENIX's revenues comes from our conferences, and people pay to attend our conferences because of the papers we publish, USENIX fears that it derives sufficient commercial advantage from presenting and publishing conference papers so as to be subject to criminal prosecution under the DMCA.

28. Because the DMCA is a very new statute for which there is little authoritative precedent, and because the statute itself is not clear, USENIX cannot accurately assess the magnitude of the risk involved in presenting and publishing the Felten Paper.

29. Even if we could be assured that the risk of civil and criminal liability were small, defending such a lawsuit would itself be very expensive and we cannot afford to pay for such a defense.

30. Although the Felten paper has been accepted for the August conference, USENIX will remove the paper from the conference agenda and proceedings if the fear of liability is not definitively eliminated. The bound volume of proceedings will be finished on or about August 10. We will cut the paper out of the bound volumes by hand if we have to.

31. USENIX does not desire this result, for several reasons.

Censoring ourselves will irreparably harm USENIX

32. USENIX is the top network security venue in the world. In addition to the annual Security Symposium, we have security components to nearly all of our other conferences, representing approximately 20% of our conference time in total. All of the leaders in computer security come to our conferences and present their work there.

33. We have reached this point because of our reputation for choosing strong, scientific papers through a pure peer review process. We are known for having high scientific standards and for not yielding to political or commercial pressure.

34. Our reputation as a scientific and technical organization would be irreparably harmed within the scientific and technical community if we were to censor legitimate research such as the Felten paper.

35. We believe we will lose the trust of the security and other scientific communities if we are forced to censor our conference and publications. We are concerned that these communities will go elsewhere for their conferences and publications, either in the United States or abroad, where there are other security conferences that have so far been less prestigious than ours. Loss of this 20% of our business would be a major blow and could force us out of business, since the profit margins on our conferences are not large.

This is a continuing problem

36. Because of the nature of our work, we believe that we will continue to face this problem in the future. As described above, USENIX has long published papers in fields that necessarily involve so-called "technical protection measures" and their vulnerabilities. Unbiased, objective research in the field of computer and data security has always included research into weaknesses as well as strengths. Thus, censoring the Felten paper merely addresses an immediate problem that will recur.

37. We sponsor 8-10 conferences per year. Of those, at least six have a security component where an issue about the anti-dissemination provisions could arise.

38. Although the DMCA provides exemptions for encryption research and security testing, there is apparently great uncertainty about whether these exemptions protect our publishing activities. As noted above, in the Universal v. Remeirdes case, the District Court stated that subsequent publishers of scientific work could not avail themselves of the exceptions.

39. USENIX could adopt a policy of steering clear of papers that might subject us to liability under DMCA. Again, if we were forced to do so, our reputation would be irreparably harmed.

40. I believe that the threat of DMCA liability is harmful to scientific and technical innovation in the United States. There is a real risk that if conferences like ours cannot afford to take the risk of publishing papers like Prof. Felten's, such conferences will be held in other countries where the risk of liability is smaller. The movement of forums for scientific discussion overseas will damage scientific discussion here.

DATE: ____________________			_____________________________
							            ELEANOR YOUNG

Attorneys for Plaintiffs

Please send any questions or comments to webmaster@eff.org.