Comments of Peter Harter, President of e-music, on the Digital Millenium Copyright Act

July 26, 1999

Paula J. Bruening
Office of Chief Counsel
National Telecommunications and Information Administration
Room 4713
U.S. Department of Commerce
14th and Constitution Avenue, N.W.
Washington, D.C. 20230

Jesse M. Feder
Office of Policy and International Affairs
U.S. Copyright Office
Copyright GC/I&R
P.O. Box 70400, Southwest Station
Washington, D.C. 20024

Re: Request for Comments on Section 1201(g)
of the Digital Millennium Copyright Act,
Docket No. 990428110-9110-01

Dear Ms. Bruening and Mr. Feder:

EMusic.com welcomes this opportunity to submit comments on the impact that Section 1201(g) of the Digital Millennium Copyright Act, P.L. No. 105-304, 112 Stat. 2860 (October 28, 1998) ("DMCA"), will have on encryption research and the development of encryption technology. EMusic.com would like to focus, in particular, on the effect that Section 1201(g) will have an efforts to evaluate the effectiveness of industry-sponsored security and copyright management specifications that incorporate cryptography.

The Growing Importance of Industry-Sponsored Standards

One of the principal motivations behind the enactment of the DMCA was the recognition that a rapidly expanding amount of copyrighted content - be it text, video, audio, or otherwise - will be distributed in digital form. As the distribution of digital content proliferates, copyright owners will seek to develop methods of preventing unauthorized use of their content, such as the commercial distribution of unlicensed copies. Because most forms of digital media can be downloaded, stored, and replayed across an array of different devices, different industry sectors will likely seek to cooperate in the design and implementation of uniform specifications for copyright management systems (subject, of course, to the limitations imposed by the antitrust laws). Several of these initiatives are already underway.

The design and implementation of industry-sponsored copyright management systems has the potential to profoundly influence the market for digital media and the manner in which digital media are distributed. The choices that different industry sectors make with respect to these systems are likely to result in significant investments in new technologies and distribution channels. Moreover, these decisions will undoubtedly influence the options that are available to consumers, both in terms of the ease with which they will be able to access copyrighted content and the equipment that they will require to do so. A misguided decision about a particular copyright management system could result in unproductive investments and, worse, could retard the emergence of new markets for digital media.

For these reasons, EMusic.com believes it is vitally important that copyright management systems be subject to rigorous scrutiny prior to their widespread adoption by industry and consumers. Moreover, once in place, copyright management systems should continue to be subject to intensive, real-world challenges, so long as those challenges are not motivated by a desire to gain unauthorized access to, or engage in unauthorized uses of, copyrighted works. Legitimate evaluation and criticism of copyright management systems is the only surefire means of ensuring their effectiveness and vitality.

EMusic.com is therefore deeply concerned about the possibility that advocates of particular copyright management systems will use the anti-circumvention provisions of the DMCA to thwart or deter good-faith efforts to evaluate and publicize the vulnerabilities of those systems. While originally intended as a means of going after those who seek to circumvent cryptography-based access controls for illegitimate purposes, the anti-circumvention provisions could also be used as a weapon against those who seek to demonstrate the ineffectiveness of such controls for entirely legitimate reasons. If this were to be permitted, advocates of particular standards could use the DMCA to squelch opposition to that standard and to coerce industry and consumer acceptance of a standard that has not been subject to open testing.

Ambiguities in the Encryption Research Exception

Given the potential misuse of the anti-circumvention provisions of the DMCA, EMusic.com believe that it is extremely important that the encryption research exception set forth in Section 1201(g) be construed to permit individuals and companies to evaluate and publicize the vulnerabilities of copyright management systems, whether proposed or implemented. Unfortunately, however, Section 1201(g) contains several troubling ambiguities that could be seized upon by those who would seek to use the anti-circumvention provisions of the DMCA as a means of deterring legitimate evaluations. In particular, EMusic.com is concerned that:

An Illustration

It might be helpful to illustrate the foregoing concerns with a scenario that could, as they say, be "ripped from today's headlines." Although this scenario is greatly simplified, it amply demonstrates the problems that could result from an overly-restrictive interpretation of Section 1201(g).

A group of film studios and hardware manufacturers get together and establish a uniform copyright management specification for the distribution of digital video products. The specification controls the number of copies that can be made, the period during which the video can be watched, whether it can be watched on machines other than the viewer's, and other similar parameters. The specification incorporates encryption as a means of enforcing these controls. In this manner, the encryption used in the specification "effectively controls access" to a copyrighted work, and is therefore within the scope of the anti-circumvention provision, ¤ 1201(a)(1).

In one variant of the scenario, a film studio that was not a part of the standards-setting group decides that the adoption of the specification will hinder the overall development of the digital video market, as the manner in which it controls use of the video is likely to deter most consumers from purchasing titles that are subject to those controls, as well as the hardware that is necessary to play them. The film studio is concerned that widespread industry commitment to this standard will delay the expansion of the digital video market that it believes is required to justify a switch to digital-only distribution mechanisms. For these reasons, it wants to demonstrate that the specification is flawed, in part because the encryption that it incorporates can be compromised. As a known critic of the specification, however, it cannot obtain the proprietary hardware and software that it would need to subject one of its own film titles to the controls, and test the specification on that basis. Therefore, it obtains a video that is subject to the controls in the open marketplace, and hires an information security expert to crack the encryption on which the controls are based. In order to promote industry opposition to the specification, the film studio publicizes its success in cracking the encryption and provides details of the manner in which it was able to do so.

In a second variant of the scenario, a technically-minded customer is opposed to the industry specification because of the controls that it imposes, because it requires consumers to buy new hardware, and because it will gradually render his vast collection of film titles recorded in another format obsolete. He starts a website to generate public opposition to the standard. Although he has no formal training in encryption technology and is not employed in that field, he manages to crack the encryption used in the specification. He publicizes his success on the website, providing specific details of the manner in which he was able to do so. It is his hope that the publicity surrounding his announcement, and the fact that a means of bypassing the controls is now public knowledge, will convince the industry to abandon the standard in favor of one that is more consumer-friendly. He does not use his ability to crack the encryption as a means of gaining unauthorized access to copyrighted content.

In both variants of the scenario, the industry association that developed the standard brings suit under Section 1203 of the DMCA, arguing that the circumvention of the encryption violated Section 1201(a). It also seeks criminal prosecution under Section 1204. With regard to the dissident film studio, it argues that the encryption research exception does not apply because the film studio did not make a "good faith effort to obtain authorization before the circumvention," ¤ 1201(g)(2)(C), and because the film studio disseminated information about its successful circumvention of the encryption "in a manner that facilitate[d] infringement" of copyrighted works, ¤ 1201(g)(3)(A). With regard to the activist consumer, the industry association further argues that the exception does not apply because the consumer is not "engaged in a legitimate course of study" or "employed É trained or experienced in the field of encryption technology," ¤ 1201(g)(3)(B).

If the industry association were to prevail in either one of these suits, the message would be clear: proponents of industry standards can use Section 1201 to squelch legitimate criticism and analysis of those standards, including criticism and analysis that is not in the least bit motivated by a desire to gain unauthorized access to copyrighted works. This threat would be felt by both companies and private individuals. Proponents of particular standards could use this threat to conceal the vulnerabilities of those standards and to encourage widespread industry and consumer acceptance of a standard that will ultimately be shown - by persons with less noble intentions - to be ineffective.

The public harms that would result from this "squelching effect" could be significant and long-lasting. In the scenario sketched out above, for example, the inability of companies and individuals to reveal the vulnerabilities of the digital video specification early on could lead to significant industry and consumer investment in hardware and software devices that support the specification. The shortcomings of the specification might only be revealed as it became evident that a large number of people were hacking around the controls in order to engage in unauthorized uses of protected content. As such persons are not generally inclined to publicize their successes in cracking security implementations, it might take some time for the weaknesses of the system to emerge. In the meantime, however, the industry may have made significant investments in devices that support the specification, thereby influencing consumer choices and shaping the structure of the market for the (allegedly) protected content. In the worst case, the slow demise of the specification as its weaknesses were revealed could require industry and consumers to invest in an entirely new standard, thereby starting the cycle all over again. Clearly, both industry and consumers - but mostly consumers - would have been better off if the vulnerabilities of the specification had been revealed early on by companies or persons whose only intention was to demonstrate the ineffectiveness of its security.

Recommendations

As this illustration demonstrates, there are compelling reasons to be concerned about the potentially detrimental impact of the anti-circumvention provisions of the DMCA and, in particular, about an overly-restrictive interpretation of Section 1201(g). EMusic.com believes that, in their report to Congress, NTIA and the Copyright Office should identify these concerns and ambiguities, and should propose specific interpretations of Section 1201(g) - if not outright legislative amendments - that would address these issues. In particular, the report should recommend that:

EMusic.com greatly appreciates the opportunity to submit these comments on a matter of important public concern, and would be happy to meet with you and your respective offices to discuss these concerns in more detail.

Respectfully submitted,

Peter F. Harter
Vice President, Global Public Policy & Standards
EMusic.com, Inc.